220R95101
United States
Environmental Protection
Agency
Office of Information 2185
Resources Management 8/10/95
Research Triangle Park, NC 27711
GOOD AUTOMATED LABORATORY PRACTICES
2185 - Good Automated
Laboratory Practices
Principles and Guidance to Regulations
For Ensuring Data Integrity In Automated
Laboratory Operations
vn i
Ip>rriPfit3l
P %ir | tf | O I I ^Q ?
1995 Edition
-------�
GOOD AUTOMATED LABORATORY PRACTICES 2185 1995 Ed.
8/10/95
Good Automated Laboratory Practices
August 10, 1995
Principles and Guidance to
Regulations For Ensuring Data Integrity
In Automated Laboratory Operations
with Implementation Guidance
1995 Edition
Scientific Systems Staff
Office of Information Resources Management
U.S. Environmental Protection Agency
Research Triangle Park, North Carolina 27711
-------�
2185 1995 Ed GOOD AUTOMATED LABORATORY PRACTICES
8/10/95
ir a man will begin with certainties, he
shall end in doubt: but if he will be
content to begin with doubts, he shall
end in certainties.
Francis Bacon
in
-------�
GOOD AUTOMATED LABORATORY PRACTICES 2185 1995 Ed.
8/10/95
Preface
Most EPA regulatory and research programs have regulations or requirements by
contract clause that govern the conduct of laboratory studies. The GALPs do not
supersede any existing requirements or regulations of EPA's organizations, nor do they
augment them. Some of the GALP provisions guide EPA staff and its agents (contractors
or grantees) to existing EPA requirements such as the System Life Cycle Management,
Chapter 17 of Information Resources Management Policy Manual.
The GALPs are developed from essential principles inherent to sustaining challenges
to the reliability of data. These include traceability, accountability, standardized
procedures, adequate resources, and, importantly, the availability of documentation that
supports conformance with these principles. Each GALP provision embraces at least one
of these principles.
The intended objective of the GALPs is to provide EPA organizations with a set of
benchmarks to examine in light of their needs and established requirements or regulations.
If an organization then determines that changes or additions to their own requirements or
regulations are needed, it is the responsibility of that organization to amend their
requirements or regulations.
The GALPs have been constructed to address realities of 1995. They may be
modified over time to reflect changes in U.S. laws such as the congressionally-mandated
Computer Security Act, requirements by the Office of Management and Budget, and
others. They may also be modified over time to address advances in automated data
management technologies.
IV
-------�
2185 1995 Ed GOOD AUTOMATED LABORATORY PRACTICES
8/10/95
Executive Summary
This document describes benchmarks, Good Automated Laboratory Practices
(GALPs), for assuring the reliability of laboratory data. The GALPs are principles and
guidelines to regulations for laboratories that use or are planning to use a wide range of
automated data collection and management systems. The GALPs are EPA's response to
mounting evidence of corruption, loss, and inappropriate modification of computerized
laboratory data by EPA contractors.
The GALPs are a union of Federal regulations, policies, and guidance documents.
Several of the GALP provisions are embodied in EPA's Good Laboratory Practice
Standards (GLPs). The GLPs are regulations that govern the management and conduct
of mostnonclinical laboratory studies submitted to EPA's office of Toxic Substances and
its Office of Pesticide Programs.
Several GALPs are contained in EPA's Information Resource Management (IRM)
policies. These policies prescribe methodologies and practices for using automated data
processing hardware and software. The IRM policies are directed to EPA staff and its
agents (contractors and grantees) and generally implement broader Federal mandates
such as the congressionally-mandated Computer Security Act of 1987, the Office of
Management and Budget Circular A-130, and others. Most of these are also specifically
required by EPA Acquisition Regulations.
This document is divided into two sections. The first chapter formally establishes the
GALPs, describes the purpose they serve, provides background information about
studies that led to their development, and explains their scope and applicability. The
second chapter provides laboratories with additional explanations of each provision and
other relevant information to assist laboratory staff in implementing each applicable
provision.
-------�
GOOD AUTOMATED LABORATORY PRACTICES 2185 1995 Ed.
8/10/95
Acknowledgments
This document culminates a six year program by EPA's Office of Information
Resources Management (OIRM). Numerous experts in national and international
laboratory standards, laboratory automation experts, senior managers and technical staff
in government and private companies provided invaluable support.
Mr. Mickey Cline and Dr. Walter Shackelford, both of OIRM, identified the need for
the program, ensured that resources were provided, offered many valuable suggestions
that helped to focus the program, and provided encouragement when obstacles seemed
insurmountable. Without their support this program likely would not be completed.
Ms. LynnLaubisch's (Durham, NC) contribution to the publication of this document
far exceeded her title, "Micro Graphics Specialist." She is responsible for transforming
what could have been a dull, monotonous and probably difficult-to-follow publication
into a refreshing, easy to read "text book" that enables complex concepts to be easily
accessible to a diverse readership. While a cursory review of the document demonstrates
her skill in page layout, font selection, and icon and diagram creation, a careful reading
of the text is indicative of her oversight in helping to eliminate convoluted sentences and
make the text easily readable.
Ms. Stephanie Taublee, Mr. David Brodish both of Research Triangle Institute (RTI),
and Ms. Terrie Baker, formerly of RTI, deserve most of the credit for the areas of quality
assurance (QA) the GALPs embrace and explain. Their professional QA experience,
dedication, determination and commitment to doing the right thing on time, and their
ability to examine highly charged and sensitive issues from several angles were essential.
Mr. Keith McLaurin of Technology Planning and Management Corporation (TPMC),
Mr. Don Weyel, formerly of TPMC, and Mr. Bill Hampton, a Consultant to TPMC,
instilled a wealth of the discipline of Computer Science to the GALPs. Their knowledge
and experience in automated system design and development, computing and
VI
-------�
2185 1995 Ed. GOOD AUTOMATED LABORATORY PRACTICES
8/10/95
communication technologies, and the evolving specialized area of computer security
enabled issues related to current computing environments, system life cycle and a myriad
of intricate factors affecting computing security to be thoroughly andaccurately explained
in the document.
Mr. Dexter Goldman of Goldman and Associates enthusiastically supported this
program from its inception. His extensive experience in EPA's Good Laboratory
Practice Standards is reflected in many areas of the document. His critical review of
earlier drafts was essential. He identified and recommended numerous changes not noted
by other reviewers that, though subtle, had profound impact.
Dr. Sandy Weinberg of Weinberg, Sax and Spelton Associates deserves much of the
credit for getting this program started in the right direction. He afforded the program with
an unparalleled wealth of experience in assisting laboratories in complying with national
laboratory standards, auditing laboratory operations, and translating national and
international laboratory guidelines into laboratory operating standards.
Rick Johnson Voice: (919)541-1132
EPA(MD-34) Fax: (919)541-1383
RTF, NC 27711 Internet: johnson.rick@epamail.epa.gov
vn
-------�
GOOD AUTOMATED LABORATORY PRACTICES 2185 1995 Ed.
8/10/95
Contents
Preface iii
Executive Summary v
Acknowledgments vii
Chapter 1 GALP Overview
1. Purpose 1-1
2. Scope and Applicability 1-1
a. Organizations 1-1
b. Relation to Other Regulations and Requirements 1-2
c. Applicable Systems 1-2
Figure 1.1. Principles and Regulations Used in Developing the GALPs 1-3
Figure 1.2. Automated Laboratory Systems NOT Subject to the GALPs 1-4
Figure 1.3. Automated Laboratory Systems Subject to the GALPs 1-4
3. Document Organization 1-4
4. Policy 1-5
5. Authorities and References 1-5
a. Authorities 1-5
b. References 1-6
6. Responsibilities 1-6
7. Background 1-7
8. Good Automated Laboratory Practices 1-9
8.1 Laboratory Management 1-9
8.2 Personnel 1-9
8.3 Quality Assurance Unit 1-10
8.4 LIMS Raw Data 1-10
8.5 Software 1-11
8.6 Security 1-12
8.7 Hardware 1-12
Vlll
-------�
GOOD AUTOMATED LABORATORY PRACTICES 2185 1995 Ed
8/10/95
Contents
8.8 Comprehensive Testing 1-13
8.9 Records Retention 1-13
8.10 Facilities 1-13
8.11 Standard Operating Procedures 1-14
9. Definitions 1-14
10. List of Acronyms 1-19
11. Sources 1-20
Chapter 2* Implementation Assistance
1. Principles 2-1
2. Implementation Key 2-3
3. GALP Implementation 2-5
*Chapter 2 is contained in a separate file, galpchp2
IX
-------�
2185 1995 Ed GOOD AUTOMATED LABORATORY PRACTICES
8/10/95
Chapter 1 GALP Overview
1. PURPOSE
Most of the health and environmental data EPA uses in its regulatory programs are
analyzed in and reported by laboratories. Increasingly, these laboratories employ
laboratory information management systems (LIMS) to acquire, record, manipulate,
store, and archive their data (see 2.cAi-r .K \r,\ i S>.VICMS). Though many benchmarks are
scattered across EPA's regulatory programs, EPA has no consistent set of standards for
the use of LIMS that promote integrity of laboratory data.
The purpose of the Good Automated Laboratory Practices (GALPs) is to establish a
uniform set of procedures to assure that all LIMS data used by EPA are reliable and
credible.
2. SCOPE AND APPLICABILITY
a. Organizations
The GALPs are applicable to all EPA organizations, personnel, or agents (contrac-
tors and grantees) of EPA who collect, analyze, process, or maintain laboratory data
for EPA. These organizations include the Agency's Regional Laboratories, and
laboratories submitting data through contracts or grants with EPA, including the
Superfund Contract Laboratory Program (CLP). Other organizations who wish to
improve assurance of the integrity of laboratory data where LIMS are used are
encouraged to review and implement applicable GALP provisions (see also
1-1
-------�
GOOD AUTOMATED LABORATORY PRACTICES 2185 1995 Ed
8/10/95
b. Relation to Other Regulations and Requirements
Federal regulations, EPA directives, policies, and its contract requirements govern
the activities performed by laboratories that submit data to the Agency. Various
laboratories are involved in the collection and analysis of environmental data and
not all laboratories are subject to the same set of regulations and requirements.
EPA's Contract Laboratory Program sets requirements by explicit clauses and
clauses incorporated by reference in their governing contracts. Similarly, labora-
tories that submit studies in support of the registration or re-registration of
pesticides under the Federal Insecticide, Fungicide, and Rodenticide Act (FIFRA)
are subject to the Good Laboratory Practice (GLP) Standards [40 Code of Federal
Regulations (CFR) Part 160. Federal Register Vol. 54, No. 158, August 17,1989].
Laboratories that submit studies required by the test rules and negotiated testing
agreements section of the Toxic Substances Control Act (TSCA) are subject to the
GLP regulations at 40 CFR Part 792.
The GALPs include many of the GLP requirements for managing the conduct of
studies. The GALPs supplement the GLPs with Federal and EPA policies that
address automated hardware, software development and operation, electronic
transfer, and systems security. These are collectively referred to by the term
Information Resources Management (IRM) policies. Thus the GALPs integrate
GLP practices and procedures with IRM practices and procedures, to ensure the
integrity of data that are entered, stored, and manipulated by the LIMS (see Figure
1.1).
c. Applicable Systems
The GALPs use the acronym LIMS, laboratory information management system,
to describe the automated laboratory systems that collect and manage data
discussed in this Directive. There is a limitless range of possible configurations of
automated data collection and processing equipment, communication compo-
nents, types of operating system software, database management systems, and
application software that can constitute a LIMS. The GALPs are directed to most
configurations that are involved with entering, recording, manipulating, modify-
ing, and retrieving data.
1-2
-------�
2185 1995 Ed
8/10/95
GOOD AUTOMATED LABORATORY PRACTICES
Federal IRM Policy
Computer Security Act
of 1987
OMB Circular A-130
OMB Bulletin 90-08
FIPS Publications
31, 65, and 73
EPA IRM Policy
EPA Information Resources
Management Policy Manual
EPA Operations and
Maintenance Manual
EPA Information Security
Manual
GALPs
EPA's
TSCA and FIFRA
Good Laboratory
Practice Standards
Figure 1.1. Principles and Regulations Used in Developing the GALPs
(See 10. At.Ro\iMs)
Not all automated laboratory systems are LIMS. Automated laboratory systems
that record data but do not allow changes to the data are not LIMS (see Figure 1.2).
For example, an instrument that measures weights and produces or maintains a
readout of the weight is not a LIMS, if the true reading cannot be altered by a person
prior to recording.
The ability to effect changes to original observations or measurements is the factor
in determining whether the automated laboratory system is a LIMS (see Figine
1,3). If data entering automated laboratory systems can be manipulated or changed
in any way by the action of a person prior to being recorded, then that automated
laboratory system is a LIMS.
1-3
-------�
GOOD AUTOMATED LABORATORY PRACTICES
2185 1995 Ed
8/10/95
Data being
recorded to paper
Automated
Instrument
Figure 1.2. Automated Laboratory Systems NOT Subject to the GALPs
First recording
of data
Automated
Instrument
Laboratory Information
8Management System (LIMS)*
Figure 1.3. Automated Laboratory Systems Subject to the GALPs
3. DOCUMENT ORGANIZATION
This document is organized into two chapters. This first chapter, GALP OVERVIEW,
describes basic facts about the GALPs, including the purpose they serve, the scope,
applicability and organization of this directive, the policy the GALPs implement,
authorities and references supporting the GALPs, responsibilities of organizations,
background information, the GALP provisions, definitions of terms, list of acronyms,
and sources for Federal information resources management publications referenced in
the GALP.
Chapter 2, GALP IMPLEMENTATION ASSISTANCE, provides additional information about
each GALP provision. It is intended to assist in the successful application of each GALP
provision. See the introduction to Chapter 2 for additional discussion.
1-4
-------�
2185 1995 Ed GOOD AUTOMATED LABORATORY PRACTICES
8/10/95
4. POLICY
It is EPA policy to implement and comply with all applicable information management
laws mandated by Congress, all requirements issued by the Office of Management and
Budget (OMB), all Federal Information Resource Management Regulations (FIRMR)
issued by the General Services Administration (GSA), and all Information Processing
Regulations issued by the National Institute of Science and Technology (NIST).
It is also EPA policy that data collected, analyzed, processed, or maintained to support
health and environmental effects studies be of sufficient accuracy and integrity to
support effective environmental management.
EPA recognizes that absolute data integrity is not possible and that reliability and
defensibility are determined by adherence to principles and practices that contribute to
improving integrity. The GALPs balance risk against cost, incorporating existing
Federal and EPA policies.
5. AUTHORITIES AND REFERENCES
a. Authorities
(1) Computer Security Act of 1987, Public Law 100-235
(2) EPA Information Resources Management Policy Manual, Chapter 17 and
Chapter 18, September 1994
(3) EPA Information Security Manual, December 1989
(4) EPA Operations and Maintenance Manual, April 1990
(5) Federal Information Processing Standards (FIPS) Publication 31: Guide-
lines for Automatic Data Processing Physical Security and Risk Manage-
ment, June 1974
(6) Federal Information Processing Standards (FIPS) Publication 65: Guide-
lines for Automatic Data Processing Risk Analysis, August 1979
(7) Federal Information Processing Standards (FIPS) Publication 73: Guide-
lines for Security of Computer Applications, June 1980
(8) Federal Insecticide, Fungicide and Rodenticide (FIFRA); Good Laboratory
Practice Standards. 40 CFR Part 160. Federal Register Vol. 54, No. 158,
August 17, 1989
1-5
-------�
GOOD AUTOMATED LABORATORY PRACTICES 2185 1995 Ed.
8/10/95
(9) Office of Management and Budget (OMB) Circular A-130, Management of
Federal Information Resources, as Amended, April 29, 1992 (this Circular
may be subject to revision)
(10) Office of Management and Budget (OMB) Bulletin 90-08, Guidance for
Preparation of Security Plans for Federal Computer Systems that Contain
Sensitive Information, July 1990
(11) Toxic Substances Control Act (TSCA); Good Laboratory Practice Stan-
dards. 40 CFRPart 792. Federal Register Vol. 54, No. 158, August 17,1989
b. References
(1) Automated Laboratory Standards: Current Automated Laboratory Data
Management Practices, EPA/OIRM (Final, June 1990)
(2) Automated Laboratory Standards: Evaluation of Good Laboratory Practices
for EPA Programs, EPA/OIRM (Draft, June 1990)
(3) Automated Laboratory Standards: Survey of Current Automated Technol-
ogy, EPA/OIRM (Final, June 1990)
(4) Automated Laboratory Standards: Evaluation of the Use of Automated
Financial System Procedures, EPA/OIRM (Final, June 1990)
(5) Automated Laboratory Standards: Evaluation of the Standards and Proce-
dures Used in Automated Clinical Laboratories, EPA/OIRM (Draft, May
1990)
(6) National Institute of Science and Technology (NIST) Special Publication
500-166, Computer Viruses and Related Threats: A Management Guide
(August 1989)
(7) U.S. Department of Commerce National Bureau of Standards (NBS) Special
Publication 500-101, Care and Handling of Computer Magnetic Storage
Media (June 1983)
6. RESPONSIBILITIES
a. The Office of Information Resources Management (OIRM) shall:
(1) be responsible for developing, establishing, providing, and main-
taining the GALPs.
1-6
-------�
2185 1995 Ed GOOD AUTOMATED LABORATORY PRACTICES
8/10/95
(2) provide guidance and technical assistance, where feasible and appro-
priate, in implementing and improving the provisions of the GALPs.
b. Each "Primary Organization Head" (defined by EPA Order 1000.24 as the
Deputy Administrator, Assistant Administrators, Regional Administrators, the
Inspector General, and the General Counsel) is responsible for:
(1) complying with all applicable Federal and EPA rules and regulations
affecting the collection, analysis, processing, storage, or maintenance of
LIMS data. These are indicated in each GALP provision by the use of
underlined lettering, such as EPA Information Security Manual.
(2) reviewing the GALPs and taking the necessary measures to implement
appropriate provisions provided in the GALPs that will improve the integrity
of LIMS data.
7. BACKGROUND
a. EPA relies heavily on laboratory data to accomplish its mission. The
accuracy and integrity of these data are essential to EPA's ability to effectively
formulate policy, make decisions, and take action on issues involving public health
and the environment. Laboratory data are therefore critical Agency assets and must
be managed and protected as such.
b. The computer is increasingly replacing and augmenting many manual
operations in the laboratory. Much of the laboratory data now submitted to EPA
have been created, collected, processed, managed, or in other ways manipulated by
LIMS.
c. Laboratory data are exposed to potential loss and misuse from a variety of
accidental and deliberate causes. Cases involving the corruption, loss, and
inappropriate modification of computerized laboratory data provided to EPA have
resulted in debarments, suspensions, fines, and criminal prosecution.
d. EPA's OIRM conducted several studies to assess the automated data
management practices employed by laboratories to ensure data integrity.
Principal findings and recommendations of these studies included:
1-7
-------�
GOOD AUTOMATED LABORATORY PRACTICES 2185 1995 Ed.
8/10/95
(1) The integrity of computer-resident data is at risk in many laboratories
providing scientific and technical data to EPA. Inadequate system security,
data verification, standardized procedures, designation of responsibility, and
documentation are to a large extent responsible for these risks.
(2) EPA has no Agencywide policy for laboratories that collect and
manage LIMS data. The laboratories that provide data to EPA are subject to
differing regulations, policies, and contract requirements for the conduct of
studies and management and operation of the laboratory.
(3) In many cases, the requirements that a laboratory must follow in
conducting a study are vague or ambiguous regarding the special concerns
and issues related to LIMS. For example, FIFRA and TSCA GLPs refer to
"recorded data from automated instruments"; however, standards or guid-
ance for performing LIMS risk assessments and LIMS software develop-
ment and modification are not directly addressed in the GLPs.
(4) EPA has no definitive guidelines to aid the Agency's inspectors and
auditors when they inspect laboratories that use LIMS in the conduct of a
study.
(5) The need for Agencywide standards and guidance is recognized and
acknowledged by the laboratory community and LIMS vendors.
(6) Data management practices should be standardized for all laboratories
supporting EPA programs and the Agency should assume the responsibility
for establishing these standards. The guidance and training provided to the
Agency's inspectors and auditors should also be augmented accordingly.
e. In response to the findings of these studies, OIRM initiated the development
oftheGALP. The first draft of the GALP was issued in December 1990. Since
that time, over one thousand copies of the draft GALP document have been
distributed to EPA regional and program offices, other Federal agencies, industry,
associations, and private citizens and groups.
f. OIRM received over 600 individual comments on the first draft of the GALP
document. OIRM additionally contracted for the review of the document by
1-8
-------�
2185 1995 Ed GOOD AUTOMATED LABORATORY PRACTICES
8/10/95
subject-area experts in the fields of laboratory data systems, laboratory manage-
ment, systems security, telecommunications, systems development, quality assur-
ance, and information resources management. Document comments received
from all sources were reviewed and evaluated by OIRM in the development of this
final version of the GALP.
8. GOOD AUTOMATED LABORATORY PRACTICES
8.1 LABORATORY MANAGEMENT
When LIMS Raw Data (see 8.4,1) are collected, analyzed, processed, or main-
tained, laboratory management shall:
8.1.1 ensure that personnel clearly understand the function(s) they are to
perform on the LIMS.
8.1.2 ensure that a Quality Assurance Unit (QAU) monitors LIMS activities as
described in 8.3
8.1.3 ensure that personnel, resources, and facilities are adequate and available
as scheduled.
8.1.4 receive reports of QAU inspections of the LIMS (see 8.3.3) and audits of
LIMS Raw Data (see 8,3.5) and ensure that corrective actions are promptly
taken in response to any deficiencies.
8.1.5 approve the standard operating procedures (SOPs) setting forth the meth-
ods that assure LIMS Raw Data integrity, ensure that any deviations from
SOPs and applicable GALP provisions are appropriately documented and
that corrective actions are taken and documented, and approve subsequent
changes to SOPs (see 8.11).
8.1.6 assure that each applicable GALP provision is followed. With the
exception of 8.1,8.2, and 8.3, laboratory management may delegate GALP
implementation and compliance to one or more responsible persons.
8.2 PERSONNEL
When LIMS Raw Data are collected, analyzed, processed, or maintained, labora-
tory management shall ensure that all LIMS support staff and users:
8.2.1 have adequate education, training, and experience to perform assigned
LIMS functions.
1-9
-------�
GOOD AUTOMATED LABORATORY PRACTICES 2185 1995 Ed.
8/10/95
8.2.2 have a current summary of their training, experience, and job description,
including their knowledge relevant to LIMS design and operation, main-
tained at the facility.
8.2.3 are of sufficient number for timely and proper operation of the LIMS.
8.3 QUALITY ASSURANCE UNIT
When LIMS Raw Data are collected, analyzed, processed, or maintained, labora-
tory management shall designate a Quality Assurance Unit (QAU) to monitor
LIMS functions and procedures. The QAU shall:
8.3.1 be entirely separate from and independent of LIMS personnel, and shall
report directly to laboratory management.
8.3.2 have immediate access to the LIMS data, SOPs, and other records pertain-
ing to the operation and maintenance of the LIMS.
8.3.3 inspect the LIMS at intervals adequate to ensure the integrity of the LIMS
Raw Data (see 8,3,5); prepare inspection reports that include a description
of the LIMS operation inspected, the dates of the inspection, the person
performing the inspection, findings and problems observed, action recom-
mended and taken to resolve existing problems, and any scheduled dates
for reinspection; and report to laboratory management any problems that
may affect data integrity.
8.3.4 determine that no deviations from approved SOPs were made without
proper authorization (see 8.1.5) and sufficient documentation.
8.3.5 periodically audit the LIMS Raw Data to ensure their integrity.
8.3.6 ensure that the responsibilities and procedures applicable to the QAU, the
records maintained by the QAU, and the method of indexing such records
are documented and are maintained.
8.4 LIMS RAW DATA
Laboratory management shall ensure that:
8.4.1 LIMS Raw Data (LRD) and LRD storage media on which they reside (see
9. Dr.FiMTio.Ns LIMS Raw Data and LIMS Raw Data storage media) are
identified and documented. This documentation shall be included in the
laboratory's SOPs.
1-10
-------�
2185 1995 Ed GOOD AUTOMATED LABORATORY PRACTICES
8/10/95
8.4.2 the individual(s) responsible for entering and recording LIMS Raw Data
is (are) uniquely identified when the data are recorded, and the time(s) and
date(s) are documented.
8.4.3 the instrument transmitting LIMS Raw Data is uniquely identified when
the data are recorded, and the time and date are documented.
8.4.4 procedures and practices to verify the accuracy of LIMS Raw Data are
documented and included in the laboratory's SOPs, and managed as
described in 8.11
8.4.5 procedures and practices for making changes to LIMS Raw Data are
documented and provide evidence of change, preserve the original re-
corded documentation (see 8.4.2 and 8.4.3), are dated, indicate the reason
for the change, identify- the person who made the change and, if different,
the person who authorized the change. These procedures shall be included
in the laboratory's SOPs, and managed as described in 8,11
8.5 SOFTWARE
When software is used to collect, analyze, process, or maintain LIMS Raw Data,
laboratory management shall ensure that:
8.5.1 SOPs are established, approved, and managed as described in 8.11 for:
8.5.1.1 development methodologies that are based on the size and nature
of software being developed. EPA and its agents shall comply
with EPA Information Resources Management Policy Manual,
Chapter 17.
8.5.1.2 testing and quality assurance methods to ensure that all LIMS
software accurately performs its intended functions, including:
acceptance criteria, tests to be used, personnel responsible for
conducting the tests, documentation of test results, and test
review and approval.
8.5.1.3 change control methods that include instructions for requesting,
testing, approving, documenting, and implementing changes.
When indicated, change control methods shall also include
reporting and evaluating problems, as well as implementing
corrective actions.
8.5.1.4 version control methods that document the LIMS software version
currently used.
1-11
-------�
GOOD AUTOMATED LABORATORY PRACTICES 2185 1995 Ed.
8/10/95
8.5.1.5 maintaining a historical file of software, software operating
procedures (manuals), software changes, and software version
numbers.
8.5.2 documentation is established and maintained to demonstrate the validity of
software used in the LIMS.
8.5.2.1 for existing and commercially-available LIMS, minimum
documentation shall include, but not be limited to: a description
of the software and functional requirements; listing of all
algorithms and formulas; and, as they occur, testing and quality
assurance, installation and operation, maintenance/enhancement,
and retirement.
8.5.2.2 for new LIMS development or modification of existing LIMS,
documentation shall cover all phases of the generic software life
cycle. EPA laboratories and those of its agents (contractors and
grantees) shall comply with the documentation requirements
specified in EPA Information Resources Management Policy
Manual. Chapter 17.
8.5.3 all documentation specified in 8.5.2 is readily available in the facility
where the software is used, and the SOPs specified in 8.5.1 are readily
available in the laboratory areas where procedures are performed.
8.5.4 a historical file of software and the documentation specified in 8.5.2 are
retained according to procedures outlined in 8.9.
8.6 SECURITY
Laboratory management shall ensure that security practices to assure the integrity
of LIMS data are adequate. EPA laboratories and those of its agents (contractors
and grantees) shall comply with EPA's Information Security Policy.
8.7 HARDWARE
When LIMS Raw Data are collected, analyzed, processed, or maintained, labora-
tory management shall ensure that LIMS hardware and communications compo-
nents are:
8.7.1 of adequate design and capacity, and a description is documented and
maintained.
1-12
-------�
2185 1995 Ed GOOD AUTOMATED LABORATORY PRACTICES
8/10/95
8.7.2 installed and operated in accordance with manufacturer's recommenda-
tions and, at installation, undergo acceptance testing that conforms to
acceptance criteria. SOPs shall be established and maintained to define the
acceptance criteria, testing, documentation, and approval required for
changes to LIMS hardware and communications components.
8.7.3 adequately tested, inspected, and maintained. SOPs for and documenta-
tion of these routine operations shall be maintained. Documentation of
non-routine maintenance shall also include a description of the problem,
the corrective action, acceptance testing criteria, and the acceptance
testing performed to ensure that the LIMS hardware and communications
components have been adequately repaired.
8.8 COMPREHENSIVE TESTING
When LIMS Raw Data are collected, analyzed, processed, or maintained, labora-
tory management shall ensure that comprehensive testing of LIMS performance
is conducted, at least once every 24 months or more frequently as a result of
software (see 8.5.2) or hardware (see 8.7.2) changes or modifications. These tests
shall be documented and the documentation shall be retained and available for
inspection or audit.
8.9 RECORDS RETENTION
Laboratory management shall ensure that retention of LIMS Raw Data, documen-
tation, and records pertaining to the LIMS comply with EPA contract, statute, or
regulation; and SOPs for retention are documented, maintained, and managed as
described in 8.! I
8.10 FACILITIES
When LIMS Raw Data are collected, analyzed, processed, or maintained, labora-
tory management shall ensure that:
8.10.1 the environmental conditions of the facility housing the LIMS are regu-
lated to protect against LIMS Raw Data loss.
8.10.2 environmentally adequate storage capability for retention of LIMS Raw
Data, LIMS Raw Data storage media, documentation, and records pertain-
ing to the LIMS are provided.
1-13
-------�
GOOD AUTOMATED LABORATORY PRACTICES 2185 1995 Ed.
8/10/95
8.11 STANDARD OPERATING PROCEDURES
Laboratory management shall ensure that:
8.11.1 SOPs include, but are not limited to, those specified in 8,4.1. 8.4,4, 8.4.5,
8.5.1.1 through 8.5.1,5,8.7.2, 8.7.3, and 8.9. Each current SOP shall be
readily available where the procedure is performed.
8.11.2 SOPs are periodically reviewed at a frequency adequate to ensure that they
accurately describe the current procedures.
8.11.3 SOPs are authorized and changed in accordance with 8.1.5.
8.11.4 a historical file of SOPs is maintained.
9. DEFINITIONS
The definitions below generally come from existing Federal and EPA information
management publications. While broader or narrower definitions, published in other
authoritative sources, could have been used, those below were selected because they are
more focused on the environment of laboratory data management.
Acceptance testing Formal testing conducted to determine whether or not a system
satisfies its acceptance criteria and to enable the customer to determine whether or
not to accept the system. FIPS Publication 101, June 1983.
Assurance A measure of confidence that the security features and architecture of [a
LIMS] accurately mediate and enforce the security policy. Modified from EPA Risk
Analysis Guideline (Draft) March 1992.
Audit A qualitative and quantitative evaluation of the documentation and procedures
associated with the LIMS to verify that resulting LIMS Raw Data are of acceptable
quality. Modified from EPA Quality Assurance Management Staff, January 6,1994.
Change control Management and implementation methodologies associated with
increasing or correcting system capabilities, a partial system redesign, or determi-
ning software obsolescence. EPA Operations and Maintenance Manual, April 1990.
Commercially-available software Software that is available through lease or purchase
in the commercial market. Software that is furnished as part of the [LIMS] system
1-14
-------�
2185 1995 Ed. GOOD AUTOMATED LABORATORY PRACTICES
8/10/95
but that is separately priced is included. EPA Information Resources Management
Policy Manual, Chapter 17, September 1994.
Data A representation of facts, concepts, information, or instructions suitable for
communication, interpretation, or processing by humans [or by a LIMS]. EPA Risk
Analysis Guideline (Draft) March 1992.
Design (software life cycle) The stage that specifies the automated and manual
functions and procedures, the computer programs, and data storage techniques that
meet the requirements identified and the security and control techniques that assure
the integrity of the system. EPA Information Resources Management Policy
Manual, Chapter 17, September 1994.
Documentation The process of gathering written or electronic information describing,
defining, specifying, reporting, or certifying activities, requirements, procedures, or
results. Modified from ASME NQA-L Quality Assurance Program Requirements
for Nuclear Facilities, 1989 edition as cited in ANSI/ASOC E4-1994.
Facility The premises and operational unit(s) that are necessary for operating a LIMS.
Modifi ed from Organization for Economic Cooperation and Development Series on
Principles of Good Laboratory Practice and Compliance Monitoring Number 1:
The OECD Principles of Good Laboratory Practice. Environment Monograph No.
45 (1992).
Hardware Physical equipment such as the computer and its related peripheral devices,
tape drives, disk drives, printers, etc. EPA Information Resources Management
Policy Manual, Chapter 17, September 1994.
Information Any communication or reception of knowledge such as facts, data or
opinions, including numerical, graphic, or narrative forms, whether oral or main-
tained in any medium, including computerized databases (e.g., floppy disk and hard
disk), papers, microform (microfiche or microfilm), or magnetic tape. EPA Risk
Analysis Guideline (Draft) March 1992.
Initiation (software life cycle) A request for the development of asystem to meet aneed
for information or to solve a problem for the individual making the request. EPA
Information Resources Management Policy Manual, Chapter 17. September 1994.
Inspect To measure, examine, test or gauge one or more characteristics of an entity and
compare the results with specified requirements in order to establish whether
1-15
-------�
GOOD AUTOMATED LABORATORY PRACTICES 2185 1995 Ed.
8/10/95
conformance is achieved for each characteristic. Modified from ANSI/ASQC 34-
1994 Specifications and Guidelines for Quality Systems for Environmental Data
Collection and Environmental Technology Programs, January 3, 1995.
Installation and operation (software life cycle) Incorporation and continuing use of
the new system by the organization. EPA Information Resources Management
Policy Manual, Chapter 17, September 1994.
Integrity Sound, unimpaired or perfect condition. That computer security characteris-
tic that ensures that computer resources operate correctly and that the data in the
databases are correct. This characteristic protects against deliberate or inadvertent
unauthorized manipulation of the system and ensures and maintains the security of
entities of a computer system under all conditions. Integrity is concerned with
protecting information from corruption. EPA Risk Analysis Guideline (Draft)
March 1992.
Laboratory Information Management System (LIMS) See 2.c APPUCABU-. Svs-
Laboratory management Those individuals directly responsible and accountable for
planning, implementing, and assessing work, and for the overall operation of a
facility. Modified from ANSI/ASQC 34-1994 Specifications and Guidelines for
Quality Systems for Environmental Data Collection and Environmental Technology
Programs, January 1995.
LIMS Raw Data (LRD) Original observations recorded by the LIMS that are needed
to verify, calculate, or derive data that are or may be reported.
LIMS Raw Data (LRD) storage media The media to which LIMS Raw Data are first
recorded.
Maintenance/enhancement (software life cycle) Resolving problems not detected
during testing, improving the performance of the product and modifying the system
to meet changing requirements. (Full-scale enhancements require full life cycle
analysis.). EPA Information Resources Management Policy Manual, Chapter 17,
September 1994.
Original observations The first occurrence of human-readable information.
1-16
-------�
2185 1995 Ed. GOOD AUTOMATED LABORATORY PRACTICES
8/10/95
Programming (software life cycle) Coding of the program modules that implement the
design. EPA Information Resources Management Policy Manual, Chapter 17,
September 1994.
Quality Assurance Unit Any person or organizational element designated by labora-
tory management to monitor the LIMS functions and procedures. Modified from
EPA GLPs, August 17, 1989.
Records All books, papers, maps, photographs, machine-readable materials, or other
documentary materials, regardless of physical form or characteristics, made or
received by an agency of the United States Government under Federal law or in
connection with the transaction of public business and preserved or appropriate for
preservation by that agency or its legitimate successor as evidence of the organiza-
tion, functions, policies, decisions, procedures, operations, or other activities of the
government or because of the informational value of the data in them. Library and
museum material made or acquired and preserved solely for reference or exhibition
purposes, extra copies of documents preserved only for convenience of reference,
and stocks of publications and of processed documents are not included. 44 U.S. C
3301.
Requirements analysis (software life cycle) Determination of what is required to
automate the function(s) identified by the organization. EPA Information Resources
Management Policy Manual, Chapter 17, September 1994.
Retirement (software life cycle) The stage which ends use of the system. EPA
Information Resources Management Policy Manual, Chapter 17, September 1994.
Security The set of laws, rules, and practices that regulate how an organization
manages, protects, and distributes sensitive data. EPA Risk Analysis Guideline
(Draft) March 16, 1992.
Software Computer programs, procedures, rules and associated documentation per-
taining to the operation of a computer system. EPA Information Resources
Management Policy Manual, Chapter 17, September 1994.
Software life cycle The period of time beginning when a software product is conceived
and ending when the product no longer performs the function for which it was
designed. The software life cycle is typically broken into phases such as initiation,
requirements analysis, design, programming, testing and quality assurance, instal-
1-17
-------�
GOOD AUTOMATED LABORATORY PRACTICES 2185 1995 Ed.
8/10/95
lation and operation, maintenance, and retirement. EPA Information Resources
Management Policy Manual, Chapter 17, September 1994.
Software version control Management of changes or revisions to a specific baseline
software module or application. Software version control provides a mechanism to
control changes and to return to any previous revision of the application or module.
Standard Operating Procedures (SOPs) Documentation setting forth methods of
operation that laboratory management is satisfied are adequate to insure the quality
and integrity of LIMS Raw Data. Modified from EPA GLPs, August 17, 1989.
Testing The examination of the behavior of a program by executing the program on
sample data sets. EPA Information Resources Management Policy Manual, Chap-
ter 17, September 1994.
Testing and quality assurance (software life cycle) Ensuring that the system works as
intended and that it meets applicable organization standards of performance,
reliability, integrity and security. EPA Information Resources Management Policy
Manual, Chapter 17, September 1994.
Validity A state or quality of software that provides confirmation that the particular
requirements for a specific intended use are fulfilled. In design and development,
validity concerns the process of examining a product or result to determine
conformance to user needs. Modified from ISO 8402:1994, Quality Management
and Quality Assurance as cited mANSI/ASQC E4-1994.
Verify To review, inspect, test, check, audit, or otherwise establish and document
whether or not LIMS Raw Data are accurate. Modified from FlPSPublicationlOl,
June 1983.
1-18
-------�
2185 1995 Ed
8/10/95
GOOD AUTOMATED LABORATORY PRACTICES
10. LIST OF
CFR
CLP
EPA
FIFRA
FIPS
FIRMR
GALP
GLP
GSA
IRM
LIMS
LRD
NIST
OIRM
OMB
QAU
SOP
TSCA
ACRONYMS
Code of Federal Regulations
Contract Laboratory Program
Environmental Protection Agency
Federal Insecticide, Fungicide, and Rodenticide Act
Federal Information Processing Standard
Federal Information Resource Management Regulation
Good Automated Laboratory Practice
Good Laboratory Practice
General Services Administration
Information Resources Management
Laboratory Information Management System
LIMS Raw Data
National Institute of Science and Technology
Office of Information Resources Management
Office of Management and Budget
Quality Assurance Unit
Standard Operating Procedure
Toxic Substances Control Act
1-19
-------�
GOOD AUTOMATED LABORATORY PRACTICES 2185 1995 Ed.
8/10/95
11. SOURCES
Copies of the Federal information resources management publications referenced in the
GALP can be ordered via mail, telephone, or the Internet.
Act of 1987
This is a Federal regulation and should be available in local public libraries.
The Internet World Wide Web address is:
http://www.first.org/secplcy 7csa_87.txt
of
Office of Management and Budget
Assistant Director of Administration
OMB Publications
725 17th Street, NW
Washington, D.C. 20503
telephone: (202)395-7332 (then press 2)
The Internet addresses for OMB publications are:
World Wide Web: http://www2.infoseek.com/Titles?qt=OMB
Gopher: gopher://pula.financenet.gov:70/l 1/docs/central/omb
EPA
U.S. Environmental Protection Agency
OARM/FMSD
Publication Distribution Section
Mailcode 3204
401 M St., SW
Washington, D.C. 20460
telephone: (202) 260-5797
1-20
-------�
2185 1995 Ed GOOD AUTOMATED LABORATORY PRACTICES
8/10/95
For References 1 through 5 on page 1-6 (Automated Laboratory Standards),
contact:
Rick Johnson Voice: (919)541-1132
EPA(MD-34) Fax: (919)541-1383
RTF, NC 27711 Internet: johnson.rick@epamail.epa.gov
The Internet addresses for EPA IRM documents are:
World Wide Web: http://www.epa.gov/docs/IRMPolicy.html
Gopher: gopher://gopher.epa.gov:70/l 1/Initiatives/IRM.Policy
of Stiificjs '"ds fi^SJS^ put'l!v-&t}0"/"jS
National Technical Information Sen'ice
U.S. Department of Commerce
5285 Port Royal Road
Springfield, VA 22161
(703) 487-4650
The Internet World Wide Web address for NIST is:
http://www.ncsl.nist.gov
The Internet World Wide Web address for TIPS Publications is:
http://www.ncsl.nist.gov/fips/
1-21
-------�
GOOD AUTOMATED LABORATORY PRACTICES 2185 1995 Ed.
8/10/95
1-22
-------�
Chapter 2
GALP Implementation Assistance
The GALP Implementation is based on established data management principles.
1. PRINCIPLES
Control is the essential objective behind most data management principles. Effective
management and operation of an automated laboratory cannot be assured unless use and
design of the LIMS is consistent with principles intended to assure LIMS control.
Although accuracy and reliability of data must be ensured by a control based system of
management, the most effective management systems invoke the participation of those
employees affected by the control process. Most importantly, the GALPs assume
laboratory professionals are personally motivated to follow the principles of their
professions, and that they will take every practical step to ensure the accuracy and the
reliability of the data and analyses produced by their laboratory.
The GALP guidance is built on six principles.
Communication, transfer, manipulation, and the storage/recall process all offer
potential for data corruption. The demonstration of control necessitates the
collection of evidence to prove that the system provides reasonable protection
against data corruption.
Good Automated Laboratory Practices 2-1
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
If, The jomiMitis and decision algorithms employed /n tin- ]J\IS must be
accurale and appropriate.
Users cannot assume that the test or decision criteria are correct; those formulas
must be inspected and verified.
e. A critical control element A the capability 10 rmc& Li MS Ran- f)tita
modification* and recording to the responsible
This capability utilizes a password system or equivalent to identify the time, date,
and person or persons entering, modifying, or recording data.
cl, ( Yiff.vi ifeff and appropriate change controls, capable oj tracking the JJM.S
operations and software, arc a vital element in the control process,
All changes must follow carefully planned procedures, be properly documented,
and when appropriate include acceptance testing.
e, Procedures must be established and documented for ail users to fallow.
Control of even the carefully designed am! implemented L! MS will be
liiwasH'fl if the user does noljoihrw these procedures
This principle implies the development of clear directions and SOPs, the training
of all users, and the availability of appropriate user support documentation.
f. The n\'k (tf LI MS failure requires that procedures, be established and
documented fa minimize and manage their occurrence.
Where appropriate, redundant systems must be installed and periodic system
backups must be performed at a frequency consistent with the consequences of the
loss of information resulting from a failure. The principle of control must extend
to planning for reasonable unusual events and system stresses.
2-2 Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
2. IMPLEMENTATION KEY
This page is a key for using the GALP IMPLEMENTATION ASSISTANCE. The
model below, with commentary notes, illustrates the format and information that
follows.
GALP functional area
GALP subfitnctional area
Icon depicting the
GALP functional area
The wording of the particular GALP provision (from Chapter 1)
In cases where there are general specifications with distinct subsections or
subspecifications, the general specification will always appear with each
subspecification with two or three pages of discussion of that subspecification;
the next subspecification will repeat the general specification, and follow with
its discussion.
EXPLANATION
DISCUSSION
SPECIAL
CONSIDERATIONS
A paragraph that defines the key terms of the provision and
explains the intent of the provision
A discussion of the kind of compliance evidence that
might be gathered, or acceptable ways in which the provision
has been or may be met.
A discussion of potentially relevant facts or noteworthy
factors that may be relevant for certain laboratory settings,
computer equipment, EPA statutes, or litigation.
NOTES: The GALP Implementation Guidance is a working document An area on the right-
hand page is provided to allow annotation as needed. The size of this area is determined by
the space available to complete a page This variation is not meant to imply any difference
in the extent of comment anticipated. Sources for additional guidance are also listed here.
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed 8/10/95
2-3
-------�
2-4 Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.1
LABORATORY
MANAGEMENT
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed 8/10/95
2-5
-------�
8.1 Laboratory Management
1) Personnel
When LIMS Raw Data (see 8.4.1) are collected, analyzed, processed, or main-
tained, laboratory management shall:
1) ensure that personnel clearly understand the function(s) they are to
perform on the LIMS.
EXPLANATION
DISCUSSION
Laboratory management shall be responsible for the use and
management of the LIMS. This necessitates that all LIMS support
personnel and users are completely familiar with their responsibili-
ties and assigned duties. Written job descriptions are necessary.
Laboratory management shall be responsible for ensuring that
appropriate professional hiring and assignment criteria are used,
coupled with appropriate training, to ensure that all users are able
to use the LIMS effectively.
Written position descriptions signed by LIMS support personnel
and users, with accompanying laboratory management signatures,
are a useful vehicle for documenting that personnel clearly under-
stand the functions they are to perform. Because there are not
widespread academic certifications or criteria that ensure system
user competence, most laboratories rely on a three-part strategy for
compliance: 1) Users are provided with clear operating instructions,
manuals, and SOPs to enable them to perform assigned system
functions; 2) Sufficient training to clarify these instructions is
provided to users; 3) Users able to meet operation requirements are
eligible to perform these LIMS functions.
2-6
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed 8/10/95
-------�
8.1 Laboratory Management
1) Personnel
SPECIAL
CONSIDERATIONS
Because of its significance in evaluating the applicability of the
GALPs, the identification and documentation of LIMS Raw Data
(LRD) should be provided to all employees involved in the opera-
tion of the LIMS. It should be sufficiently specific and unambigu-
ous to enable employees to readily identify LRD (see c 4 !) so that
each employee knows when the GALPs must be followed.
Notes...
Good Automated Laboratory Practces
Implementation Assistance
2185 1995 Ed 8/10/95
2-7
-------�
8.1 Laboratory Management
2) Quality Assurance Unit
When LIMS Raw Data are collected, analyzed, processed, or maintained, labora-
tory management shall:
2) ensure that a Quality Assurance Unit (QAU) monitors LIMS activities as
described in 8.3.
EXPLANATION
Laboratory management shall designate a group or individual as the
QAU. This designation shall be consistent with the provisions set
forth in 8.3. The QAU responsibilities are primarily inspection,
audit, and review of the LIMS and its data.
DISCUSSION
An organizational plan should be developed to define lines of
communication, reporting, inspection, and review of the LIMS and
its data The QAU must be entirely separate from and independent
of the personnel engaged in the direction and conduct of a study, and
should report to laboratory management. In smaller laboratories, a
single individual may have many LIMS managerial responsibili-
ties, but may not be the designated QAU.
2-8
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.1 Laboratory Management
2) Quality Assurance Unit
Notes...
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed 8/10/95
2-9
-------�
8.1 Laboratory Management
3) Personnel, Resources, and Facilities
When LIMS Raw Data are collected, analyzed, processed, or maintained, labora-
tory management shall:
3) ensure that personnel, resources, and facilities are adequate and available
as scheduled.
EXPLANATION
DISCUSSION
Laboratory management shall ensure that personnel, resources, and
facilities are adequate to handle LIMS functions and operation in a
timely fashion. Resources include the LIMS equipment, materials,
software, and training.
Laboratory management should ensure that backup staff for critical
functions are available. In laboratories where time-critical func-
tions are frequently encountered, laboratory management should be
particularly sensitive to the need for adequate staff, backup, and
other necessary resources.
Laboratory management should periodically assess the staffing
levels for LIMS supervision, support, and operation, in order to
determine if resources are adequate. Laboratory management may
review training records to maintain awareness of the current status
of training received and needed, observe job performance to deter-
mine the performance levels of current staff and possible needs for
additional training, and examine project schedules and work back-
logs to determine the adequacy of current staff and whether the
LIMS is receiving proper staffing support.
2-10
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed 8/10/95
-------�
8.1 Laboratory Management
3) Personnel, Resources, and Facilities
SPECIAL
CONSIDERATIONS
Notes...
Laboratory management is responsible for ensuring all resources
are adequate to support LIMS functions, but may find it necessary,
particularly in larger operations, to delegate responsibility for
assessing the adequacy of personnel, resources, and facilities to
another individual.
When laboratory management delegates LIMS resource assess-
ment, he/she shall ensure that the designated person has the experi-
ence, skills, and education to fulfill the responsibilities. Laboratory
management is also responsible for ensuring that the designated
person is available and has sufficienttime and resources to fulfill the
specific responsibilities. These responsibilities must be fully docu-
mented and consistent with s i .6
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
2-11
-------�
8.1 Laboratory Management
4) Quality Assurance Report
When LIMS Raw Data are collected, analyzed, processed, or maintained, labora-
tory management shall:
4) receive reports of QAU inspections of the LIMS (see 8,3,3) and audits of
LIMS Raw Data (see 8,3,5) and ensure that corrective actions are
promptly taken in response to any deficiencies.
EXPLANATION
DISCUSSION
SPECIAL
CONSIDERATIONS
The flow of information concerning all laboratory operations,
including LIMS inspections and LRD audits, should expeditiously
move to laboratory management. Laboratory management should
review QAU inspection reports and audits, and may recommend
remedial actions. It is ultimately the responsibility of laboratory
management to ensure that any errors or deficiencies, discovered
through QAU activities, are acted upon and rectified.
Laboratory policy or SOP should clearly state that all QAU inspec-
tion and audit reports are presented in a timely manner to laboratory
management for review. These reports should have a provision for
laboratory management's signature and date. Likewise, an SOP or
policy should define the responsibility of management to follow up
on all deficiencies found in the QAU report.
A relevant legal concept is that the laboratory should be able to
demonstrate due diligence in carrying out its own rules, not just
have them.
2-12
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.1 Laboratory Management
4) Quality Assurance Report
Notes...
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed 8/10/95
2-13
-------�
8.1 Laboratory Management
5) Approving SOPs and Documenting Deviations
When LIMS Raw Data are collected, analyzed, processed, or maintained, labora-
tory management shall:
5) approve the standard operating procedures (SOPs) setting forth the
methods that assure LIMS Raw Data integrity, ensure that any deviations
from SOPs and applicable GALP provisions are appropriately
documented and that corrective actions are taken and documented, and
approve subsequent changes to SOPs (see 8.11).
EXPLANATION
DISCUSSION
Laboratory management is ultimately responsible for all activity
within the laboratory, including approval of SOPs and any subse-
quent changes, and implementation of required GALP provisions.
An SOP or laboratory policy should state that any departure from
laboratory SOPs and applicable GALP provisions will be reported
to laboratory management. Laboratory management should then
ensure that the deviation is properly documented and that appropri-
ate corrective actions are taken and similarly documented.
As part of a comprehensive LIMS policy, there should be docu-
mented assurance that laboratory management is made aware of
deficiencies or departures from the laboratory SOPs and required
GALP provisions. The SOP or policy should state that laboratory
management is responsible for ensuring that all deviations are noted
and corrective actions taken and documented.
2-14
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.1 Laboratory Management
5) Approving SOPs and Documenting Deviations
Notes...
Good Automated Laboratory Practces
Implementation Assistance
2185 1995 Ed 8/10/95
2-15
-------�
8.1 Laboratory Management
6) Compliance With GALP Provisions
When LIMS Raw Data are collected, analyzed, processed, or maintained, labora-
tory management shall:
6) assure that each applicable GALP provision is followed. With the
exception of 8.1, 8.2, and 8,3, laboratory management may delegate GALP
implementation and compliance to one or more responsible persons.
EXPLANATION
Laboratory management is responsible for complying with each
GALP provision that is required by the EPA program for which data
are submitted. Laboratory management, particularly in large labo-
ratories, may find it necessary to delegate GALP compliance
responsibilities to one or more responsible persons. The GALP
provisions in 8.1, 8.2, and 8.3 may not be delegated.
When GALP compliance responsibilities are delegated, laboratory
management shall ensure that the designated responsible persons
have the experience, skills, and education necessary to fulfill their
responsibilities. Laboratory management is also responsible for
ensuring that designated responsible persons are available and
provided sufficient time and resources to fulfill their responsibili-
ties.
Laboratory management shall ensure that delegation of GALP
compliance responsibilities are fully documented and current. This
documentation shall identify the individual who is assigned respon-
sibility for compliance with each GALP provision and shall clearly
specify each individual's job responsibilities and duties. The
documentation shall be signed by each responsible person to dem-
onstrate that each person is aware of his/her responsibilities.
2-16 Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.1 Laboratory Management
6) Compliance With GALP Provisions
DISCUSSION
SPECIAL
CONSIDERATIONS
The manner by which GALP compliance responsibilities are dis-
tributed is at the discretion of laboratory management. At small
laboratories, one person may be responsible for compliance with all
GALP provisions. At larger laboratories, responsibilities may be
distributed among a number of people. Larger laboratories might
distribute responsibilities organizationally, functionally, by area of
scientific study, or other methods that meet the laboratory's needs.
It is strongly recommended that secondary responsible persons be
designated. The designation of secondary responsible persons
minimizes disruptions in the event of the prolonged absence of the
primary responsible person.
Notes...
Good Automated Laboratory Practces
Implementation Assistance
2185 1995 Ed. 8/10/95
2-17
-------�
2-18 Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.2
PERSONNEL
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
2-19
-------�
8.2 Personnel
1) Education
When LIMS Raw Data are collected, analyzed, processed, or maintained, labora-
tory management shall ensure that all LIMS support staff and users:
1) have adequate education, training, and experience to perform assigned
LIMS functions.
EXPLANATION
DISCUSSION
All LIMS support staff and users shall have adequate education,
training, and experience to perform assigned LIMS functions.
This provision encompasses all LIMS functions used to collect,
transmit, report, analyze, summarize, store, or otherwise ma-
nipulate data. Laboratory management is expected to use appro-
priate professional hiring and assignment criteria, coupled with
appropriate training, to ensure that all users are able to use the
LIMS effectively.
In certain cases, specialized training or attendance at special
courses and certification programs may substitute for formal
education requirements. Demonstrated experience may also sub-
stitute for formal education requirements. Either basis for sub-
stitution should be thoroughly and accurately documented. In
certain cases, especially for personnel with advanced education
and training, self-certification may be possible. Laboratory
management should use professional judgment as to the appro-
priateness of self-certification.
2-20
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.2 Personnel
1) Education
Notes...
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
2-21
-------�
8.2 Personnel
2) Training
When LIMS Raw Data are collected, analyzed, processed, or maintained, labora-
tory management shall ensure that all LIMS support staff and users:
2) have a current summary of their training, experience, and job description,
including their knowledge relevant to LIMS design and operation,
maintained at the facility.
EXPLANATION
DISCUSSION
SPECIAL
CONSIDERATIONS
This provision states that documentation of personnel back-
grounds, including education, training, and experience, is cur-
rent and available. Pertinent LIMS design, support, and opera-
tions knowledge for each person with access to and responsibility
for the LIMS should be included in the documentation. Evidence
of training and experience that indicates knowledge sufficient for
job requirements is essential.
Resumes (including references to education and degrees ob-
tained, professional certificates, previous job titles, and respon-
sibilities), reports of completed training, and current job descrip-
tions may be centrally filed at the facility. Job performance
evaluations may be used to demonstrate proper levels of LIMS
knowledge and experience. Documentation of prior success in
similar responsibilities may be sufficient.
When outside vendors are involved, the required education,
training, knowledge, and experience may be so indicated on their
resumes.
2-1
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.2 Personnel
2) Training
Notes...
Good Automated Laboratory Practces
Implementation Assistance
2185 1995 Ed. 8/10/95
2-23
-------�
8.2 Personnel
3) Number of Persons
When LIMS Raw Data are collected, analyzed, processed, or maintained, labora-
tory management shall ensure that all LIMS support staff and users:
3) are of sufficient number for timely and proper operation of the LIMS.
EXPLANATION
DISCUSSION
Laboratory management is expected to maintain a staff that is
adequate in size to ensure that functions for the LIMS will be
performed in an accurate and timely manner, including all sys-
tem-related tasks, and particularly time-critical functions.
By designing and following a work plan for any particular study,
laboratory management can anticipate staffing requirements nec-
essary for a particular need. Laboratory management must be
aware of any delays in operations due to inadequate staffing and
take proper action.
Persistent and excessive overtime, excessive LIMS downtime, or
delayed responses to hardware and software changes may indi-
cate insufficient staffing.
Information regarding the adequate competence of personnel is
discussed in 8,2.1.
2-24
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.2 Personnel
3) Number of Persons
Notes...
Good Automated Laboratory Practces
Implementation Assistance
2185 1995 Ed 8/10/95
2-25
-------�
2-26 Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed 8/10/95
-------�
8.3
QUALITY
ASSURANCE UNIT
Good Automated Laboratory Practces
Implementation Assistance
2185 1995 Ed 8/10/95
2-27
-------�
8.3 Quality Assurance Unit
1) Independent QAU
When LIMS Raw Data are collected, analyzed, processed, or maintained, labora-
tory management shall designate a Quality Assurance Unit (QAU) to monitor
LIMS functions and procedures. The QAU shall:
1) be entirely separate from and independent of LIMS personnel, and shall
report directly to laboratory management.
EXPLANATION
DISCUSSION
SPECIAL
CONSIDERATIONS
The QAU is responsible for assuring laboratory management of the
integrity of the LRD; therefore, any real or apparent conflict of
interest with LIMS personnel, including LIMS management, shall
be avoided. Because laboratory management is ultimately respon-
sible for compliance with all of the GALPs, the QAU shall necessar-
ily report directly to laboratory management.
Documentation of the organization should be available providing
clear evidence that the QAU reports directly to laboratory manage-
ment. Similarly, descriptions of the positions and responsibilities of
each QAU staff member should be available for review and provide
evidence of their independence from LIMS personnel and manage-
ment. These descriptions should also provide evidence of the role
of QAU staff members in monitoring LIMS activities to assure LRD
integrity. Organizational charts and job descriptions may be useful
in providing this documentation.
In LIMS operations where the number of personnel is small, there
could be a real or apparent conflict of interest between the QAU and
LIMS personnel and managers. In these situations, an extramural
QAU may be required in the absence of alternative solutions to
resolving the real or apparent conflict of interest.
2-28
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.3 Quality Assurance Unit
1) Independent QAU
Notes...
Good Automated Laboratory Practces
Implementation Assistance
2185 1995 Ed 8/10/95
2-29
-------�
8.3 Quality Assurance Unit
2) Documentation Availability
When LIMS Raw Data are collected, analyzed, processed, or maintained, labora-
tory management shall designate a Quality Assurance Unit (QAU) to monitor
LIMS functions and procedures. The QAU shall:
2) have immediate access to the LIMS data, SOPs, and other records
pertaining to the operation and maintenance of the LIMS.
EXPLANATION
A complete and current set of SOPs shall be available and accessible
at all times to the QAU. The QAU should also have access to the
most current and version-specific set of LIMS operations and
maintenance manuals, data, and other operations and maintenance
documentation.
DISCUSSION
SPECIAL
CONSIDERATIONS
A complete and current copy of LIMS SOPs and technical documen-
tation should exist as part of standard documentation and be acces-
sible to the QAU. Documentation of the procedures described above
may be set forth in SOPs and/or LIMS management policy. The
documentation may be in writing or electronically maintained.
If SOPs are stored electronically, the QAU shall be responsible for
verify ing that they are secure, retrievable, and readable; maintaining
a hard copy of the electronic versions; and ensuring that the hard
copy versions are identical to the electronic versions.
2-30
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed 8/10/95
-------�
8.3 Quality Assurance Unit
2) Documentation Availability
Notes...
Good Automated Laboratory Practces
Implementation Assistance
2185 1995 Ed. 8/10/95
2-31
-------�
8.3 Quality Assurance Unit
3) Inspections
When LIMS Raw Data are collected, analyzed, processed, or maintained, labora-
tory management shall designate a Quality Assurance Unit (QAU) to monitor
LIMS functions and procedures. The QAU shall:
3) inspect the LIMS at intervals adequate to ensure the integrity of the LIMS
Raw Data (see 8,3.5); prepare inspection reports that include a description
of the LIMS operation inspected, the dates of the inspection, the person
performing the inspection, findings and problems observed, action
recommended and taken to resolve existing problems, and any scheduled
dates for reinspection; and report to laboratory management any
problems that may affect data integrity.
EXPLANATION
A LIMS that is consistently reliable and accurate is a major goal of
QAU activity. To assure reliability and accuracy, the LIMS must be
inspected on a regular basis. Inspection shall be performed at a
frequency adequate to ensure the integrity of the LRD. The LIMS
shall also be inspected immediately after any change to LIMS
software or hardware.
Records of each inspection shall be prepared and maintained and
shall include the following: the specific LIMS operation inspected,
the name of the inspector, and the date of the inspection. Findings
from the inspection and any problems observed shall be recorded.
Actions recommended and those taken to resolve any problems that
were found and scheduled dates for reinspection shall be docu-
mented. In all cases where problems affecting the integrity of LRD
were observed during inspection, these problems shall be immedi-
ately reported to laboratory management. Documentation of reports
to laboratory management should be maintained.
2-32 Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.3 Quality Assurance Unit
3) Inspections
DISCUSSION
Although the QAU is responsible for reporting directly to labora-
tory management and is required to be independent of LIMS
personnel, problems affecting the integrity of LRD may also be
communicated directly and immediately to the appropriate LIMS
personnel; thus a more rapid resolution of these problems can occur.
Notes...
Good Automated Laboratory Practces
Implementation Assistance
2185 1995 Ed 8/10/95
2-33
-------�
8.3 Quality Assurance Unit
4) Deviations
When LIMS Raw Data are collected, analyzed, processed, or maintained, labora-
tory management shall designate a Quality Assurance Unit (QAU) to monitor
LIMS functions and procedures. The QAU shall:
4) determine that no deviations from approved SOPs were made without
proper authorization (see 8J.5) and sufficient documentation.
EXPLANATION
DISCUSSION
The QAU shall ensure that no deviations from S OPs have been made
without prior authorization and complete documentation of the
change. Authorization for the planned deviation entails obtaining
the approval, signature, and date of laboratory management prior to
its occurrence. Documentation of any deviation shall include, but
not be limited to: an explanation of the departure from methods
established in the SOP, the reason for the departure, and the accom-
panying date of the departure.
In order to maintain complete control over LIMS operations and
functions, it is important to ensure that the LIMS is consistently
operated in compliance with approved SOPs.
In certain situations, unplanned deviations from the SOPs may
occur. These deviations must be documented and include the
explanation of the departure from the methods established in the
SOPs, the reason for the departure, the signature and date of
laboratory management, and its affect on the LIMS data.
2-34
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.3 Quality Assurance Unit
4) Deviations
Notes...
Good Automated Laboratory Practces
Implementation Assistance
2185 1995 Ed. 8/10/95
2-35
-------�
8.3 Quality Assurance Unit
5) LIMSRaw Data Audit
When LIMS Raw Data are collected, analyzed, processed, or maintained, labora-
tory management shall designate a Quality Assurance Unit (QAU) to monitor
LIMS functions and procedures. The QAU shall:
5) periodically audit the LIMS Raw Data to ensure their integrity.
EXPLANATION
Periodic review of LRD that are being reported or will be reported
are conducted to ensure the integrity and reliability of the LRD. By
examining reported data and correlating it with the LRD for a
specific LIMS reporting activity, the QAU will ensure the integrity
of LRD.
DISCUSSION
An audit should be undertaken if QAU inspection problems
are found that jeopardize LRD integrity. It is recommended
that an SOP be established that requires periodic review of final
reports and their corresponding LRD. Integrity problems or devia-
tions arising from these audits should be reported to laboratory
management as discussed in 8,3.3.
If LIMS hardware or software are changed or relocated consistent
with 8.7,2 and 8.5,2, a review of reportable data against LRD is
recommended.
SPECIAL
CONSIDERATIONS
Movement of non-LIMS equipment, particularly those emitting
magnetic radiation in close proximity to LIMS equipment, may
affect LRD integrity. In these situations, it is strongly recommended
to also review reported data against the LRD.
2-36
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.3 Quality Assurance Unit
5) LIMS Raw Data Audit
Notes...
Good Automated Laboratory Practces
Implementation Assistance
2185 1995 Ed. 8/10/95
2-37
-------�
8.3 Quality Assurance Unit
6) Records
When LIMS Raw Data are collected, analyzed, processed, or maintained, labora-
tory management shall designate a Quality Assurance Unit (QAU) to monitor
LIMS functions and procedures. The QAU shall:
6) ensure that the responsibilities and procedures applicable to the QAU, the
records maintained by the QAU, and the method of indexing such records
are documented and are maintained.
EXPLANATION
DISCUSSION
The methods and procedures of the QAU shall be fully documented,
consistently followed, and maintained by the QAU. The method of
indexing such records shall also be documented and maintained.
It is important that the QAU inspection and audit reports discussed
in 8.3.3 and 8,3.5 are identified and maintained to include date, time,
and investigator(s). The complete set of documentation, including
QAU responsibilities and procedures and their inspection reports
should be indexed so as to be readily accessible.
Because the QAU must maintain all records and documentation
pertaining to their activities, a policy or SOP may be developed to
establish specific procedures for this.
2-38
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.3 Quality Assurance Unit
6) Records
Notes...
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
2-39
-------�
2-40 Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.4
LIMS RAW DATA
(LRD)
Good Automated Laboratory Practces
Implementaton Assistance
2185 1995 Ed 8/10/95
2-41
-------�
8.4 LIMS Raw Data
1) Identification and Documentation
Laboratory management shall ensure that:
1) LIMS Raw Data (LRD) and LRD storage media on which they reside
(see 9. DEFINITIONS LIMS Raw Data and LIMS Raw Data storage media)
are identified and documented. This documentation shall be included in
the laboratory's SOPs.
EXPLANATION
DISCUSSION
The objective of the GALPs is to provide EPA with assurance of the
integrity of LIMS Raw Data (LRD). Thus the GALPs prescribe how LRD
are to be entered, changed, stored, and secured. Laboratory management
or designee (see 8.1.6) shall assess data that are entered in, processed,
maintained, or reported by the LIMS to identify and document those data
that are LRD. The documentation shall also include a description of the
LRD storage medium. LRD and their respective storage media shall be
identified in the laboratory's SOPs. Copies of the SOPs shall be made
available to all personnel with access to LRD, and laboratory management
should assure that these personnel clearly understand the importance of
LRD.
LRD are original observations recorded by the LIMS that are needed to
verify, calculate, or derive data that are or may be reported. Original
observations mean the first occurrence of human-readable information.
The media to which the LRD are first recorded is the LRD storage media.
The media may be paper, microfiche, microfilm, magnetic or optical
storage media.
As an example: Person A places an environmental sample into a labora-
tory instrument that analyzes the sample and transmits signals to a
personal computer (PC). The PC software captures the signals, analyzes
them, and displays a graphical representation of the analyzed signals on
a monitor. Person B examines the graphic, concludes it is realistic, and
then issues a command to the PC software to record the analyzed data on
a disk. The data stored on the disk are the LRD, and the disk is the LRD
storage medium. The instrument, communications components, PC, PC
software, monitor, recording device, and disk are a LIMS (see Figure 1.3).
2-42
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.4 LIMS Raw Data
1) Identification and Documentation
SPECIAL
CONSIDERATIONS
Alternatively, Person B could issue a command to first record the
analyzed signal to paper before it is recorded to disk. In this case, the paper
is the LRD storage medium.
The documentation for the above example may be an SOP or SOPs that
describe data entry, analysis, and recording. For example, a single SOP
could be developed and maintained that documents data entry, analysis,
and recording. It would specify recording of the instrument. Person A,
time and date, and Person B, time and date, on the disk, and that the LRD
and LRD storage medium are those recorded by Person B on the disk (or
paper, depending on which the LRD are first recorded).
1. Some EPA programs may require additional data beyond those
discussed in the example above. To demonstrate the reliability of
instrumentation, an EPA program may also require that the initial
high and low values sent from the instrument to the LIMS be
included with the LRD discussed in the example.
2. Original observations that have been recorded prior to entry to the
LIMS (see Figure 1.2) are not LRD (see 3. below). However,
laboratory management may want to extend the definition of LRD to
include these observations, thus ensuring that they are GALP-
compliant.
3. For 2. above, some EPA programs require that the original observa-
tions be maintained and stored on their original recording medium.
For example, the GLPs define raw data as any laboratory worksheets,
records, memoranda, notes, or exact copies thereof, that are the result
of original observations and activities of a study and are necessary
for the reconstruction and evaluation of the report of that study.
Notes...
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
2-43
-------�
8.4 LIMS Raw Data
2) Entry and Recording Person
Laboratory management shall ensure that:
2) the individual(s) responsible for entering and recording LIMS Raw Data is
(are) uniquely identified when the data are recorded, and the time(s) and
date(s) are documented.
EXPLANATION
DISCUSSION
SPECIAL
CONSIDERATIONS
Laboratory management shall ensure that LRD input is traceable to
the person who manually input the LRD or who was responsible for
transmission to the LIMS, and, if different, the person who was
responsible for the recording of the LRD by the LIMS. The time and
date for each of these actions shall also be documented.
The usual method for accomplishing this identification is to have the
LIMS record a unique user identification code as part of the data
being entered or recorded. The user ID code can then be referenced
back to the associated data entry or data recording person to allow
identification of all entered data.
The person who operated the instrument may not be same as the
person who transmitted the data. Knowing who operated the
instrument, however, may be as important as knowing who entered
or recorded the data into the LIMS. Thus, the laboratory should also
document the instrument operator with the data entry/recording
person(s). Laboratory management should ensure that the time and
date for each action above is correct and has not been altered in an
unapproved manner.
In the case of manual entry, the original data generally are study raw
data (see 8.4.1 Special Considerations) and can be audited; the LRD
are derived data.
2-44
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.4 LIMS Raw Data
2) Entry and Recording Person
Notes...
For additional guidance, see: Automated Laboratory Standards: Evaluation of the
Use of Automated Financial System Procedures, EPA/OIRM (June 1990); and
Automated Laboratory Standards: Evaluation of the Standards and Procedures Used
in Automated Clinical Laboratories, EPA/OIRM (May 1990).
See Chapter 1,11. SOURCES for addresses and ordering information.
Good Automated Laboratory Practces
Implementation Assistance
2185 1995 Ed 8/10/95
2-45
-------�
8.4 LIMS Raw Data
3) Instrument Identification
Laboratory management shall ensure that:
3) the instrument transmitting LIMS Raw Data is uniquely identified when
the data are recorded, and the time and date are documented.
EXPLANATION
DISCUSSION
Laboratory management shall ensure that documentation for instru-
ments that transmit data to the LIMS that are or will become LRD
exists, is maintained, and includes the date and time of each
transmission. It must be possible to trace to the source instrument the
date and time of data transmission to the LIMS.
This can be accomplished by including a unique instrument identi-
fication code that also documents the date and time during transmis-
sion to the LIMS and records this information with the LRD.
2-46
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.4 LIMS Raw Data
3) Instrument Identification
Notes...
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed 8/10/95
2-47
-------�
8.4 LIMS Raw Data
4) Verification
Laboratory management shall ensure that:
4) procedures and practices to verify the accuracy of LIMS Raw Data are
documented and included in the laboratory's SOPs, and managed as
described in 8.11.
EXPLANATION
DISCUSSION
The integrity of data can be compromised during data entry, elec-
tronic transfer from automated instruments, and particularly during
manual entry. Procedures for verifying the accuracy of the LRD
entered manually or electronically into the LIMS shall be docu-
mented and included in the laboratory's SOPs and managed as
described in 8,11. The implementation of these procedures shall be
enforced by laboratory management.
Data verification methods, such as double-keying of manually
entered data, blind re-keying of data entered automatically, or other
proven methods, can be practiced to provide assurance of LRD
integrity.
2-48
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed 8/10/95
-------�
8.4 LIMS Raw Data
4) Verification
Notes...
For additional guidance, see: Automated Laboratory Standards: Evaluation of the
Use of Automated Financial System Procedures, EPA/OIRM (June 1990).
See Chapter 1,11. SOURCES for addresses and ordering information.
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed 8/10/95
2-49
-------�
8.4 LIMS Raw Data
5) Changes
Laboratory management shall ensure that:
5) procedures and practices for making changes to LIMS Raw Data are
documented and provide evidence of change, preserve the original
recorded documentation (see 8.4,2 and 8.4.3), are dated, indicate the
reason for the change, identify the person who made the change and, if
different, the person who authorized the change. These procedures shall
be included in the laboratory's SOPs, and managed as described in 8.11.
EXPLANATION
DISCUSSION
SPECIAL
CONSIDERATIONS
When LRD are changed after initial recording, documentation shall exist
that preserves the original recorded required documentation (see 8.4.2 and
8,4.3), provides clear evidence that a change was made, explains the
reason for the change, records the date of change, the person who made the
change and, if different, the person who authorized the change. The
laboratory's SOPs shall include procedures for making changes to LRD
in compliance with these recording requirements, and shall specify who
has authority to make changes or to authorize changes, if different. These
procedures shall be included hi the laboratory's SOPs, and shall be
established, approved, and managed as described in 8.11.
This GALP provision requires maintaining all LRD and changes to LRD
so that all modifications are clearly documented. All documented changes
shall be stored and retained as specified in H.9 and 8.10.2. If LRD are
purged from the LIMS, a verified copy of the LRD should be maintained,
for at least the required retention period.
Recording both a person authorizing a change and a different person
entering a change may not be feasible in an existing LIMS. To obviate this
problem, laboratories may consider establishing a policy by which only
one individual has authority to authorize changes and make changes to
data on the LIMS. An alternative may be to retain paper copy authoriza-
tions or logs.
2-50
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.4 LIMS Raw Data
5) Changes
ORIGINAL LIMS Raw Data
134.7
Unique identification of person
entering data, time, and date
Unique identification of person
recording data, time, and date
Unique identification of instrument
transmitting data, time, and date
Unique identification of person
operating instrument
CHANGED LIMS Raw Data
144.7
134.7
Unique identification of
person making change
Unique identification of
person authorizing change
Date of change
Reason for change
The information pertaining to the
original data as described on the left
Notes...
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed 8/10/95
2-51
-------�
2-52 Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.5
SOFTWARE
Good Automated Laboratory Practces
Implementation Assistance
2185 1995 Ed 8/10/95
2-53
-------�
8.5 Software
1) Standard Operating Procedures
1) Development Methodology
When software is used to collect, analyze, process, or maintain LIMS Raw Data,
laboratory management shall ensure that:
1) SOPs are established, approved, and managed as described in 8.11 for:
1) development methodologies that are based on the size and nature of
software being developed. EPA and its agents shall comply with EPA
Information Resources Management Policy Manual Chapter 17.
EXPLANATION
DISCUSSION
An SOP shall be prepared for LIMS software development method-
ology. In preparing this SOP, all GALP provisions, especially 8,4
and 8.6, should be considered. EPA Information Resources Man-
agement Policy Manual. Chapter 17. serves as software develop-
ment guidance for the Agency. The methodology set forth in this
guide shall be used by EPA and its agents (contractors and grantees)
when developing software. If an EPA office has supplemented EPA
Information Resources Management Policy Manual with its own
guidance, the laboratory must consider the applicability of this
specific guidance to the software to be developed. The SOP
documenting the development methodology shall be established,
approved, and managed as described in 8.11.
When selecting a LIMS software development methodology, the
laboratory's goal is the reliability of LIMS Raw Data. The method-
ology and techniques selected should contribute to the software's
accuracy and reliability in meeting user needs. In most cases, the
methodology should include user involvement throughout the de-
velopment cycle.
Laboratory management should consider several factors in selecting
the development methodology. A large system that will be used for
several years by many users is a good candidate for the full develop-
2-54
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.5 Software
1) Standard Operating Procedures
1) Development Methodology
ment methodology documented in EPA Information Resources
Management Policy Manual A stand-alone program, a single-user
system, or a system that will be used for only a short period of time
would more likely be suited to rapid application development
techniques and less formally structured development methods.
Notes..
For additional guidance, see: EPA Information Resources Management Policy
Manual, Chapter 17 (September 1994).
See Chapter 1,11. SOURCES for addresses and ordering information.
Good Automated Laboratory Practices 2-55
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.5 Software
1) Standard Operating Procedures
2) Testing and Quality Assurance
When software is used to collect, analyze, process, or maintain LIMS Raw Data,
laboratory management shall ensure that:
1) SOPs are established, approved, and managed as described in 8.11 for:
2) testing and quality assurance methods to ensure that all LIMS software
accurately performs its intended functions, including: acceptance
criteria, tests to be used, personnel responsible for conducting the tests,
documentation of test results, and test review and approval.
EXPLANATION
DISCUSSION
SOPs shall be prepared for conducting and documenting testing and
quality assurance. Testing and quality assurance involves evaluat-
ing new or changed software to determine that it performs correctly
and meets user requirements. SOPs shall document when testing
and quality assurance are required, as well as how they are to be
conducted, the acceptance criteria, personnel responsible for test-
ing, and documentation of test results, test review, and approval.
Testing and quality assurance are specified in EPA Information
Resources Management Policy Manual. Chapter 17. SOPs for
testing and quality assurance shall be established, approved, and
managed as described in 8.1!.
Testing and quality assurance procedures are standard integral parts
of the change control process, that also apply to implementation of
new software. Users should be involved in testing programs in an
environment that will not affect the production system. New
software should also be tested in a similar way by potential users.
Acceptance criteria should be documented before testing begins to
ensure that testing is predicated on meeting those standards, as
discussed in 8,5.2.2. SOPs may include provisions for laboratory
management to review the tests and results to ascertain that criteria
are appropriate and are met to their satisfaction.
2-56
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.5 Software
1) Standard Operating Procedures
2) Testing and Quality Assurance
SPECIAL
CONSIDERATIONS
Testing and quality assurance procedures should be performed by
individuals responsible for installation and operation of the LIMS
and not by the QAU (see 8.5.2.2 Special Considerations).
Notes...
For additional guidance, see: EPA Information Resources Management Policy
Manual, Chapter 17 (September 1994).
See Chapter 1,11. SOURCES for addresses and ordering information.
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed 8/10/95
2-57
-------�
8.5 Software
1) Standard Operating Procedures
3) Change Control
When software is used to collect, analyze, process, or maintain LIMS Raw Data,
laboratory management shall ensure that:
1) SOPs are established, approved, and managed as described in 8.11 for:
3) change control methods that include instructions for requesting,
testing, approving, documenting, and implementing changes. When
indicated, change control methods shall also include reporting and
evaluating problems, as well as implementing corrective actions.
EXPLANATION
SOPs shall be prepared for problem reporting and change control
procedures that apply to all layers of software used in the laboratory,
including custom-developed and commercially-available software.
The procedures should be tailored to each kind of software. SOPs
for change control shall be established, approved, and managed as
described in 8.11.
Change control procedures shall specify:
persons authorized to request software changes
requirements to be met for approval of change requests
responsibilities and methods for documenting testing and
quality assurance
approval procedures for changed versions
procedures for moving changed versions to the production envi-
ronment.
forms designed for change request/problem reports
methods for establishing the priority of change requests
LIMS archives from which to take copies of programs
to be amended (see 8.5.4)
procedures for maintaining amended copies that conform with
SOPs
2-58 Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.5 Software
1) Standard Operating Procedures
3) Change Control
DISCUSSION
Change control procedures should also be tailored to handle changes
of different priorities. For example, procedures for dealing with
emergency problems should expedite corrective action. The labora-
tory should consider a centralized change control system (manual or
automated) that includes all change requests, including emergency'
problems, corrections to software errors, and enhancement requests.
A centralized change control system may allow better tracking and
control than separate systems. The change control procedure should
designate a person authorized to move changed program versions to
the production environment.
Problem report forms with written instructions for completion may
be developed, and problem logs may be maintained by a designated
person. Analysis and initial reporting may be required within a
specific time frame and may be performed by the responsible person
until resolution is reached.
Notes...
For additional guidance, see: EPA Information Resources Management Policy
Manual, Chapter 17 (September 1994).
See Chapter 1,11. SOURCES for addresses and ordering information.
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed 8/10/95
2-59
-------�
8.5 Software
1) Standard Operating Procedures
4) Version Control
When software is used to collect, analyze, process, or maintain LIMS Raw Data,
laboratory management shall ensure that:
1) SOPs are established, approved, and managed as described in 8.11 for:
4) version control methods that document the LIMS software version
currently used.
EXPLANATION
DISCUSSION
SOPs shall be prepared to document the process that establishes and
maintains the identification of the LIMS software version in use at
the time each data set was created. SOPs for version control shall be
established, approved, and managed as described in 8.11.
This process can be met by ensuring that the date and time of
generation of all data sets are documented, and that the LIMS
software version generating the data set is identified in the data file.
The laboratory shall ensure that historical files (see 8,5.4) are
established and maintained to indicate the current version and all
previous versions of the software releases and individual programs,
including dates and times they were put into and removed from the
LIMS production environment.
2-60
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed 8/10/95
-------�
8.5 Software
1) Standard Operating Procedures
4) Version Control
Notes...
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed 8/10/95
2-61
-------�
8.5 Software
1) Standard Operating Procedures
5) Historical File
When software is used to collect, analyze, process, or maintain LIMS Raw Data,
laboratory7 management shall ensure that:
1) SOPs are established, approved, and managed as described in 8.11 for:
5) maintaining a historical file of software, software operating procedures
(manuals), software changes, and software version numbers.
EXPLANATION
DISCUSSION
SOPs shall be prepared to document the procedures by which
historical files are maintained. These files shall include, but not be
limited to, all software versions (see 8.5.1.4) and software operating
procedures for each version. Consistent procedures for manage-
ment of historical files shall be documented to assure that these files
are current, complete, and easily accessible. SOPs for maintaining
a historical file of software shall be established, approved, and
managed as described in 8.1 i.
The ability to verify the accuracy of LRD and reportable data
necessitates that all software versions, all software changes, and all
operating instructions are available, maintained, complete, and
current. To assure this, an SOP should specify methods for storage
and retention times that comply with 8.9. The SOP should specify
that all historical files be maintained in a designated location that is
safe and secure, and that adequately preserves the software for the
required retention period.
2-62
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.5 Software
1) Standard Operating Procedures
5) Historical File
Notes...
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed 8/10/95
2-63
-------�
8.5 Software
2) Documentation
1) Existing and Commercially-Available Systems
When software is used to collect, analyze, process, or maintain LIMS Raw Data,
laboratory management shall ensure that:
2) documentation is established and maintained to demonstrate the validity
of software used in the LIMS:
1) for existing and commercially-available LIMS, minimum documentation
shall include, but not be limited to: a description of the software and
functional requirements; listing of all algorithms and formulas; and, as
they occur, testing and quality assurance, installation and operation,
maintenance/enhancement, and retirement.
EXPLANATION
DISCUSSION
To demonstrate the validity of software used, LIMS software
documentation should include, within practical limits, all phases of
the software life cycle (see 8.5,2.2). For existing and commercially-
available LIMS software, the minimum documentation shall in-
clude:
A. LIMS software description and functional requirements
13. algorithms and formulas
C. testing and quality assurance procedures
D. installation and operation, maintenance/enhancement, and
retirement procedures
For commercially-available software and LIMS software in use
prior to publication of the GALPs, the documentation of additional
life cycle phases is governed by the magnitude of the programming
effort involved in creating the software. Large, complex applica-
tions that require lengthy and expensive software development
efforts necessitate an equivalent level of effort in the creation of
detailed documentation that describes the application throughout
each software life cycle phase. A small, less detailed program
written by one programmer in a short period of time (such as a
2-64
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.5 Software
2) Documentation
1) Existing and Commercially-Available Systems
week), requires less documentation that may involve only a para-
graph describing each phase of the software life cycle.
For existing or commercially-available LIMS software, documenta-
tion may be difficult to obtain. However, LIMS software descrip-
tions and functional requirements can be developed. User require-
ments that lead to the purchase of a commercially-available LIMS
can be used to develop the functional requirements documentation.
Software vendors may provide some LIMS software design docu-
mentation, but for proprietary reasons, it may not be complete. File
layouts, program descriptions, and functional specifications may be
provided, but program specifications and source code may be
unavailable. If the minimum documentation described above is not
provided, an attempt to obtain it from the vendor should be made;
however, it may be necessary to reconstruct it in-house.
A. LIMS Software Description and Functional Requirements
A description shall be documented and maintained for the LIMS
software that provides detailed information on the functions the
software performs. Depending on the nature or internal structure of
the software, the documentation for the functional requirements
may include: flowcharts or block diagrams that illustrate step-by-
step processing of a software module, data flow diagrams that
illustrate the movement of data through the LIMS, or entity-
relationship diagrams that illustrate the relationship of the data
within the database,
B. Algorithms and Formulas
All algorithms and formulas used in the LIMS, and modules that
allow user entry of formulas or algorithms, shall be documented and
retained. Documentation of the algorithms and formulas should be
Good Automated Laboratory Practices 2-65
Implementation Assistance
2185 1995 Ed 8/10/95
-------�
8.5 Software
2) Documentation
1) Existing and Commercially-Available Systems, continued
easily discernible. These listings should identify the locations in
which the formulas and algorithms occur in the LIMS software.
Documentation for all such formulas and algorithms can be main-
tained in a central location. In some cases, formulas and algorithms
for purchased software may be obtained from vendor-provided
documentation. For software currently in use, it may be possible to
extract the formulas and algorithms from source code.
C. Testing and Quality Assurance
Documentation shall be established and maintained to support
testing and quality assurance. The documentation should describe
procedures that ensure the LIMS works as intended and that it meets
organizational standards for performance, reliability, integrity, and
availability. Testing documentation should include evidence of
integration and validation testing. Test specifications and results
(unit tests, system tests, integration tests) should be documented
and maintained.
D. Installation and Operation, Maintenance/Enhancement,
and Retirement Procedures
Documentation shall be established and maintained to support the
initial and continuing operations of the LIMS software. The docu-
mentation includes implementation plans and procedures,
methods for regulating and controlling software changes (see
8,5.1.3), routine support requirements, and post-implementation
reviews. Retirement plans and procedures identify a means of
retrieving LIMS data after the LIMS is replaced or is no longer
operational.
2-66 Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.5 Software
2) Documentation
1) Existing and Commercially-Available Systems, continued
Notes...
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed 8/10/95
2-67
-------�
8.5 Software
2) Documentation
2) New Systems
When software is used to collect, analyze, process, or maintain LIMS Raw Data,
laboratory management shall ensure that:
2) documentation is established and maintained to demonstrate the validity
of software used in the LIMS:
2) for new LIMS development or modification of existing LIMS,
documentation shall cover all phases of the generic software life cycle.
EPA laboratories and those of its agents (contractors and grantees) shall
comply with the documentation requirements specified in EPA
Information Resources Management Policy Manual, Chanter 17.
EXPLANATION
The goal of LIMS software documentation efforts shall be to demonstrate
the validity of the software used. The documentation shall accurately
describe the software's functions and internal structures as they exist, or
will exist, during each of the software life cycle phases. The terms used
to describe each software life cycle phase have varied over time and have
been published using different "standard" terminology However, the
general structure and progression of the software life cycle has remained
the same for many years.
For new LIMS software (under development, or to be developed) used in
EPA-sponsored studies, laboratories shall establish and maintain life
cycle documentation that conforms to the specifications of EPA Informa-
tion Resources Management Policy Manual. Chapter 17. The extent of
the documentation shall be consistent with the software application's size,
cost, sensitivity of data, policy implications, and diversity of organiza-
tions using the LIMS. New LIMS software documentation should
generally include the following, which are intended to cover all phases of
the software life cycle:
initiation
requirements analysis
design
programming
testing and quality assurance
installation and operation
maintenance/enhancement
retirement
2-68
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
DISCUSSION
8.5 Software
2) Documentation
2) New Systems
SOPs may be established and maintained to ensure that each phase of the
software life cycle is documented. Laboratory management review of
milestones ensures that required documentation is available before giving
approval for LIMS software development to proceed.
Documentation standards for initiation and requirements analysis can be
established. The initiation documentation can include a request for LIMS
development or enhancement, and the needs that are resolved. The
requirements analysis documentation identifies the functions that the
LIMS will perform.
Design and programming standards ensure that minimum requirements
are met and foster consistency and uniformity in the software. File layout
formats, screen formats, and report formats can be included in the design
standards. Explanatory comments, section and function labels, the pro-
gramming language, identification of the programmer, dates of original
writing and all changes, the use of logical variable names, and other
programming documentation requirements are established by the pro-
gramming standards.
Testing and quality assurance standards ensure that the LIMS performs as
it was intended. Testing and quality assurance include both unit and
integration testing. It assures that the LIMS meets standards for perfor-
mance, reliability, integrity, and security.
Installation and operation standards assure a smooth transition from
existing laboratory operations to the LIMS. Maintenance/enhancement
standards improve the continuing operation of the LIMS. The mainte-
nance/enhancement procedures identify change control procedures for
resolving problems not discovered during testing, improving LIMS per-
formance, and modifying the LIMS to meet changing needs or new
requirements. The retirement standards identify procedures for ending
use of the LIMS due to obsolescence or replacement. The retirement
procedures identify a means of retrieving historical LIMS data.
Good Automated Laboratory Practices 2-69
Implementation Assistance
2185 1995 Ed 8/10/95
-------�
8.5 Software
2) Documentation
2) New Systems, continued
INITIATION
REQUIREMENTS
ANALYSIS
MAINTENANCE/
ENHANCEMENT
INSTALLATION
AND OPERATION
Complete Software
Life Cycle
TESTING AND
QUALITY
ASSURANCE
SPECIAL
CONSIDERATIONS
Testing and quality assurance must be performed on LIMS software
to ensure that it functions as intended and meets applicable stan-
dards. Software testing and quality assurance procedures should be
performed by individuals responsible for installation and operation
of the LIMS and not by the Q AU, because the Q AU must be entirely
separate from and independent of LIMS personnel (see 83,1).
However, the QAU may monitor and review quality assurance
procedures throughout the software life cycle.
2-70
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.5 Software
2) Documentation
2) New Systems, continued
Notes...
For additional guidance, see: EPA Information Resources Management Policy
Manual, Chapter 17 (September 1994).
See Chapter 1,11. SOURCES for addresses and ordering information.
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
2-71
-------�
8.5 Software
3) Availability of Documentation
When software is used to collect, analyze, process, or maintain LIMS Raw Data,
laboratory management shall ensure that:
3) all documentation specified in 8.5.2: is readily available in the facility
where the software is used, and the SOPs specified in §,5.1 are readily
available in the laboratory areas where procedures are performed.
EXPLANATION
DISCUSSION
All documentation and SOPs, or copies thereof, shall be available
in the work areas of LIMS developers, operators, and/or users, as
applicable. SOPs shall be available to each department or work
group within a laboratory, and importantly, shall be current.
Original SOPs and documents should be maintained centrally to
prevent their loss or misplacement. Persons responsible for produc-
ing SOPs or documentation manuals may maintain a record of SOPs
or documentation issued, their numbers, and identification of per-
sons to whom they were issued, thus facilitating ease in issuing
updates. User manuals should be readily available to all users. It is
particularly important that SOPs and documentation pertinent to
development methodologies, testing and quality assurance, change
control, version control, and historical files be immediately avail-
able where the work is performed.
2-12
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.5 Software
3) Availability of Documentation
Notes...
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
2-73
-------�
8.5 Software
4) Historical File
When software is used to collect, analyze, process, or maintain LIMS Raw Data,
laboratory management shall ensure that:
4) a historical file of software and the documentation specified in 8.5.2 are
retained according to procedures outlined in 8,9.
EXPLANATION
Previously used software, LIMS manuals, user maintenance manu-
als, and other documents specified in 8.5.2 shall be retained in
compliance with 8.9. If the retention time is not specified, the period
should be sufficient to allow the laboratory to support any challenges
to the integrity of the LRD.
Files of all versions of software programs shall be created and
maintained so that the history of each program is evident. Differ-
ences between the versions and the time of their use shall be evident.
DISCUSSION
The laboratory should ensure that historical files indicate all previ-
ous versions of software releases and individual programs, includ-
ing the dates they were placed into and removed from production.
Software program listings can include internal references to a
project number. For each data set, the historical file should identify
the version of software used in creating each set of LRD.
2-74
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.5 Software
4) Historical File
Notes...
For additional guidance, see: EPA Operations and Maintenance Manual (April 1990).
See Chapter 1,11. SOURCES for addresses and ordering information.
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
2-75
-------�
2-76 Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed, 8/10/95
-------�
8.6
SECURITY
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
2-77
-------�
Security
Laboratory management shall ensure that security practices to assure the
integrity of LIMS data are adequate. EPA laboratories and those of its
agents (contractors and grantees) shall comply with EPA's Information
Security Policy.
EXPLANATION
DISCUSSION
Requirements for protecting LIMS data from destruction, disclo-
sure, alteration, delay or undesired manipulation can vary greatly
according to laboratory needs and requirements. Laboratory man-
agement is responsible for ensuring that threats to the LIMS and its
data have been assessed, compensating safeguards implemented,
and, where required, other established security requirements imple-
mented.
EPA's Information Security Policy (described in EPA Information
Resource Management Policy Manual, Chapter 8) formally estab-
lishes a comprehensive, Agency wide information security program.
This policy implements OMB Circular A-130 and describes indi-
vidual and organizational responsibilities for EPA staff and its
agents. A procedural manual, EPA Information Security Manual.
explains how to comply with this policy and with the congression-
ally-mandated Computer Security Act of 1987. The following
Discussion summarizes the detailed information contained in these
documents.
Security of LIMS is often an afterthought that LIMS staff and users
frequently minimize as an unnecessary imposition, or view as
preventing free information exchange, rather than as safeguards for
the destructive effects of malicious hackers, LIMS failures or natural
disasters. Congress emphasized the importance of security by
enacting the Computer Security Act of 1987. Experienced LIMS
staff and users are becoming acutely aware of the need for safe-
2-78
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed 8/10/95
-------�
8.6 Security
guards to protect against undesired and frequently unforeseen events. These events,
whether accidental or deliberate, can result in:
modification or destruction of data,
unavailability of data or services, or
the unwanted disclosure of data.
These three general damaging results have shaped the three traditional objectives
(see I, Security Objectives below) of computer security:
integrity,
availability, and
confidentiality.
They commonly form the basis for all security decisions or initiatives.
Undesired events, commonly referred to as threats (see III. Threats), should be
identified for all the assets constituting the LIMS. These assets (see II, Assets) can
include people, hardware, software, physical environment, and others. Reaching
a decision about what, if anything, should be done for each identified threat/asset
involves two distinct phases:
risk analysis (see IV. Risk AnaljsK), identifying and estimating the
damage of each threat/asset risk; and,
risk management (see V. Risk Management), identifying, selecting, and
implementing safeguards to protect against the threat, reduce its impact, or
facilitate recovery from its occurrence.
There are some minimum safeguards (see \'L Minimum Safeguards) that com-
mon sense dictates be implemented to ensure physical protection of LIMS hard-
ware, software, data, and storage media. The cost involved with implementing
these safeguards may be very small, if not zero, and thus do not require a formal
security risk analysis to justify their implementation.
Good Automated Laboratory Practices 2-79
Implementation Assistance
2185 1995 Ed 8/10/95
-------�
8.6 Security, continued
I. Security Objectives
The integrity objective provides owners and users of laboratory data with
assurance that their data are reliable and accurate. Achieving this objective
necessitates implementation of safeguards for threats to the integrity of data and the
applications that process the data. Examples of safeguards for software that
provide assurance of integrity include implementing data verification procedures
formanual data entry as specified in 8.4.4, implementing data change requirements
described in 8.4.5, and password-protecting access to LIMS software (see VI.
Minimum Safeguards).
The availability objective provides protection against the loss of information or
services. Serious problems can result from loss of LIMS data because they can be
costly to replace. Similarly, if the LIMS cannot be used or cannot provide timely
services, the production or reporting of LIMS data can be lost or impaired.
Examples of safeguards to provide assurance of the availability of LIMS data
include implementing a regular schedule for backups, placing storage media in a
secured place, and use of an Uninterruptible Power Supply device to provide
virtually complete surge protection, a filter for line noise, and backup power in the
event of an outage (see VI. .Minimum Safeguards).
The confidentiality objective addresses those situations where disclosure of data
would be undesirable or, in some situations unlawful, such as Confidential
Business Information (CBI) (see Notes at end of Discussion for references).
Confidentiality ensures the protection of private information from being disclosed
to anyone who is not authorized to access it. Examples of safeguards to provide
assurance of confidentiality include physical access controls, encryption when
transmitting data, and disposal practices for reports when they are no longer needed
(see VI. Minimum Safeguards).
2-80 Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed 8/10/95
-------�
8.6 Security, continued
II. Assets
An asset has value and may be tangible or intangible. An organization should
identify all assets that must be protected. Some assets have minimal value and do
not require protection. A partial list of potential assets includes the following:
Tangibles Intangibles
Facilities Personnel
Hardware Reputation
Software (system and application) Motivation
Supplies Morale
Documentation Goodwill
Data Opportunity
Traditionally, tangible assets were viewed as only hardware and were the major
concern of security. Placing a value on these assets may be relatively easy because
in most cases they are purchased items.
However, tangible assets also include software, data, and documentation. It can be
difficultto place a value on data and documentation because these assets are usually
derived from expenditures of a variety of laboratory resources. LIMS data are
obtained from sources such as observations, analytical instruments, and laboratory
equipment. If data are the result of an analytical experiment or sample analysis,
value can be derived from examining the resources used during the process that
produced them.
Another consideration in determining the value of LIMS data is the capability of
reproducing the dataitself. Data that cannot be reproduced may have a significantly
higher value than data that are easily reproduced. In a similar manner, the value of
the documentation for the LIMS and its applications must be determined.
The value of intangible assets is somewhat subjective. However, intangible assets
must be identified and considered when performing a security risk analysis.
Good Automated Laboratory Practices 2-81
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.6 Security, continued
III. Threats
Once LIMS assets are determined, it is necessary to identify threats, potential
threats, and future threats to the assets. By identifying these threats, possible
vulnerabilities to integrity, confidentiality, and availability can be identified and
addressed. Threats may exist in many forms; they can be the result of natural
disasters, intentional or accidental action, or malicious or inadvertent destruction.
Natural disasters and environmental hazards are significant threats primarily to
LIMS tangible assets. Potential natural disaster can include floods, tornadoes, or
hurricanes. Environmental hazards include fires, water damage (from bursting
water pipes), and power failures. These disasters can damage or completely destroy
the facility, operating environment, documentation, hardware, software, and LIMS
data. Disruption can occur to communication, operations, or applications.
Other significant threats can result from unrestricted access to the LIMS assets.
Safeguards are most often needed that limit access to the facility, equipment,
hardware, software, documentation, and data. Threats must be assessed for every
potential avenue of access. LIMS data are especially vulnerable because they are
subject to accidental modification or destruction as well as malicious acts of theft
or data sabotage. Accidental data corruption can result from faulty procedures or
from failures of system software security. Training of personnel and development
and compliance with comprehensive SOPs can eliminate much accidental data
corruption or loss.
The threat of computer fraud, frequently motivated by greed and malice, should be
considered. The greater the LIMS data value the greater the potential for intentional
threats. LIMS data should be reviewed to determine if there is value or liability
from an intruder in penetrating the LIMS, disclosing its data, or disrupting
operations. Similarly, the LIMS data should also be evaluated to determine the
impact of decision making and reporting based on incorrect or corrupted data. In
addition to physical controls, the development of and compliance with comprehen-
sive SOPs provides safeguards against theft or sabotage.
2-82 Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.6 Security, continued
IV. Risk Analysis
Risk analysis is a process for estimating potential losses that may result from LIMS
vulnerabilities and quantifying the damage that may result if adverse events occur.
The ultimate goal of risk analysis is to select safeguards that reduce risks to an
acceptable level. Risk analysis is a means of determining the resources needed
in budgetary terms of programming, equipment and people to minimize the loss
of LIMS data integrity, availability, or confidentiality. The extent of the risk
analysis depends on the complexity of the LIMS system, its uses, the characteristics
of its users, and the value of the LIMS data.
EPA Information Security Manual describes methods for performing risk analyses
for different types of LIMS assets.
Step 1 Identification of assets and determination of threats;
Step 2 Identification of existing safeguards;
Step 3 Determining the overall risk to the system based on threats identi-
fied and effectiveness of existing safeguards;
Step 4 Evaluation and selection of safeguards; and
Step 5 Preparing a summary of findings and recommendations.
This risk analysis can then be used as the basis for establishing a cost-effective risk
management program.
Good Automated Laboratory Practices 2-83
Implementation Assistance
2185 1995 Ed 8/10/95
-------�
8.6 Security, continued
V. Risk Management
Risk management ensures that adequate steps are taken to prevent or mediate
situations that can interfere with accomplishing the laboratory's mission. Risk
management includes establishing security safeguards and plans for contingencies
(disaster recovery plans). A necessary part of risk management is to assure
implementation of the safeguards and contingency plans. An important first step
is to provide proper training of personnel (security awareness training) to ensure
that all employees understand their security roles.
Risk management involves establishing safeguards to improve protection of
information and information processing resources and to adequately protect the
LIMS data from loss, misuse, unauthorized access or modification, unavailability,
or undetected activities. Safeguards may include restricted user interfaces to LIMS
system and application software and LIMS data, user verification, isolation of
critical LIMS application software, and reviewing and testing the LIMS design.
Including safeguards from the start of LIMS development or LIMS procurement
effort is the most cost-effective way to optimize integrity, availability, and
confidentiality of LIMS data. Risk analysis information, described above, should
be used in the design phase of LIMS development to effect the greatest reduction
in the annual loss expectancy at the least total cost. This information can also guide
laboratory management in developing procedures to meet the LIMS security
objectives of integrity, availability, and confidentiality. To maintain LIMS
security, audits of security practices assist laboratory management in monitoring
security needs and in maintaining reliable compliance with established safeguards.
Another aspect of risk management involves the development of contingency plans
(or disaster recovery plans) for LIMS operations in the event of a failure or
emergency from a number of potential sources such as natural disasters or
equipment malfunction. Laboratory management should develop workable proce-
dures that ensure the continuance of essential functions in the event that LIMS
functions are interrupted. The primary objective of contingency planning is to
protect against unacceptable data loss. It is also important to provide protection
for source documents, input and output data, and application software. It may also
2-84 Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.6 Security, continued
V. Risk Management
be necessary to anticipate the need for alternate hardware and equipment. Contin-
gency plans should include procedures for remote storage of backup data and
recovery of data from backup data files. Contingency planning should be
coordinated with other hardware safeguards, backup procedures, and recovery
plans.
Security awareness training is an important first step in implementing any risk
management plan. All employees involved in the management, use, design,
development, maintenance, or operation of the LIMS should be aware of their
security responsibilities. Laboratory management should select and implement
appropriate security awareness techniques such as training, lectures and seminars,
posters, and orientation booklets. Incentives for adherence by staff to security
procedures may include assigning employee responsibility for security, publicity
of security breaches, and rewards for employees who prevent breaches.
Specific requirements for security and disaster recovery plans are found in EPA
Information Security Manual and EPA Operations and Maintenance Manual.
Good Automated Laboratory Practices 2-85
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.6 Security, continued
VI. Minimum Safeguards by Asset:
Stand-alone, Networked, and Data Center Computing
Meeting the objectives of data integrity, availability, and confidentiality necessi-
tates that certain minimum safeguards be implemented for the LIMS. Minimum
safeguards are those common sense measures which may be implemented without
performing a risk analysis. These safeguards ensure the physical and environmen-
tal protection of LIMS equipment and media, and the effective management of the
LIMS.
The cost involved in implementing these safeguards should be minimal. If the
LIMS contains sensitive information, OMB Bulletin No. 90-08, Guidance for
Preparation of Security Plans for Federal Computer Systems that Contain
Sensitive Information, (July 9, 1990) applies. (Data are considered sensitive if
they meet the criteria established in Federal statutes (see Notes at end of
Discussion) and/or are defined as sensitive through risk analysis. Sensitive data
also is defined by legal agreement protecting information such as site location or
source information.)
This section describes minimum safeguards by LIMS asset, arranged into three
categories:
A. Stand-alone Computing
0 Networked Computing
C. Data Center Computing
"Stand-alone computing" is defined as those LIMS that have no physical or logical
connection to any other computer system. A logical connection is an active
network connection; it is a connection to another computer. A physical connection
is a communication connection (wire or optic cable) to another computer or
network. Generally, stand-alone computers are those personal computers or
workstations that have no connection whatsoever (physical) to a network or to
another computer. However, a computer could be considered a stand-alone
system if it is physically connected to a network or another computer, but does not
2-86 Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.6 Security, continued
VI. Minimum Safeguards by Asset:
Stand-alone, Networked, and Data Center Computing
have the ability to transmit to or receive data from the network or system. Examples
include:
a computer with no physical connection to another computer
a computer with a physical connection, but the installed networking
software is disabled or is inactive
"Networked computing" is defined as those LIMS that have an active logical
connection to a network or to another computer system. In practice, most
networked computers are personal computers, workstations, or minicomputers that
have active connections to a local area network (LAN) or wide area network
(WAN). Many of these systems are increasingly participating in client/server
relationships that share the workload over several computers. The maj ority of these
computer systems are usually physically located on or near an employee's work
space.
"Data center computing" is defined as those LIMS that are physically located
within the confines of a special facility dedicated to computing. Data center
computers are almost always large minicomputers and mainframes with special-
ized peripherals such as external disk arrays, tape drives, and telecommunications
interfaces. Certain security issues, mostly those involving special physical and
environmental safeguards, apply to data center computers.
Some LIMS computing environments do not fall neatly into one of these categories.
For example, most data center computers have active connections to a network.
With the rapidly evolving sophistication of networking software, it is conceivable
that a stand-alone computer can have small networking modules activated that
permit trivial, but highly secure, networking operations to take place. When the
system's computing configuration or environment appears to overlap a category,
the more stringent safeguard should be applied.
Good Automated Laboratory Practices 2-87
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.6 Security, continued
VI. Minimum Safeguards by Asset:
Stand-alone, Networked, and Data Center Computing
A. Stand-alone Computing
I. Meeting the Objer lives of Data integrity. A\ nitabillty, an
Stand-alone LIMS are sometimes considered the least susceptible to the
viruses and hacking that have become a threat to networked systems.
However, the data integrity and availability of stand-alone systems can be
easily compromised if the physical and environmental safeguards specified
below are not followed. Data integrity and availability are improved by
adherence safeguards for the storage and use of magnetic media and
backups. Assurance of integrity can also be improved by carefully avoiding
situations that may subject the stand-alone system to viruses borne by
removable media such as diskettes. Software copyrights and licensing are
a factor that may affect data availability. Data confidentiality can be
compromised if stand-alone systems are easily accessible to unauthorized
personnel. Data confidentiality of stand-alone systems is best improved by
defining, training for, and adhering to, individual safeguard responsibilities.
2. Security Responsibility Training;
At least one person, or functional group, should be assigned the overall
responsibility for maintaining stand-alone LIMS security. The responsible
person or group should have the authority and opportunity to contribute to
policy decisions regarding the security topics discussed within this section
(physical and environmental, magnetic media safeguards, backups, etc.).
All LIMS users should be provided with security awareness training.
3, Physical and Eiivironmeufal Safeguards
Position stand-alone LIMS equipment in rooms with locking doors whenever
possible, and lock the doors when the room is not in use. Otherwise,
2-88 Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.6 Security, continued
VI. Minimum Safeguards by Asset:
Stand-alone, Networked, and Data Center Computing
locate equipment away from easily accessible areas and install a locking
device (pad or hardened cables) to the extent possible. Use a standard keyed
system cabinet lock. Place equipment and peripherals on stable and secure
platforms away from objects that could fall on them.
Store all portable LIMS in a locked cabinet when not in use. Ensure that at
least one individual within the organization is responsible for tracking the
location of portables on a regular basis, and institute logging procedures that
include the release and return dates for authorized users.
Install surge protection devices to protect against electrical power surges.
Do not install the electronic equipment, especially personal computers, in
direct sunlight or in a location with extremes of hot and cold temperatures
(less than 50 degrees Fahrenheit or greater than 100 degrees Fahrenheit). Do
not leave a portable in a parked car, which would also subj ect it to temperature
extremes.
Do not eat, drink, or smoke in the immediate vicinity of LIMS equipment and
media. Install, as far as practical, away from overhead water pipes or
sprinkler heads. Install and use humidifiers when the ambient air is
extremely dry.
4, "apietic- vi^i;t Safeguard4.
Keep all magnetic media in a secure area away from electrical devices and,
especially, magnets. Magnets can be found in magnetic paper clip holders,
building passes and credit cards with magnetized strips, PC hard drive units,
speakers, and telephones. Do not flex diskettes, touch their surfaces, or write
on them directly with a pencil or hard-tipped pen. Store them in disk file
containers as soon as they are removed from equipment. Store cartridge
tapes and removable disk cartridges in their original containers. Backup all
files on a fixed disk at regular intervals.
Good Automated Laboratory Practices 2-89
Implementation Assistance
2185 1995 Ed 8/10/95
-------�
8.6 Security, continued
VI. Minimum Safeguards by Asset:
Stand-alone, Networked, and Data Center Computing
5,
Routine backup procedures should be established to ensure availability of the
LIMS data Stand-alone personal computers are often the least likely to be
backed up. While a precise set of criteria for determining how often to make
these backups cannot be provided, frequency of modifications to data files,
cumulative development time, and the relative importance of the data are key
factors to consider. Many organizations perform backups at least once a
week.
The appropriate backup media can vary and may include diskettes, cartridge
tapes, removable disk cartridges, or remote hosts such as minicomputers.
In all cases, the resultant backup media should be tested at a frequency
adequate to ensure that backup procedures are working correctly. More than
one person within an organization should have the knowledge required to
perform backups to avoid backup schedule interruptions due to personal
leave or termination.
6, Software Copvrights anil License's
Commercial software is frequently subject to copyright laws and accompa-
nied by a licensing agreement that specifies copying regulations. A
copyright generally means that any duplicating, selling, or other distribution
of the software for other than backup use by the lawful user(s) is unlawful.
Many of these copyrighted software packages may affect data availability.
Some software applications cease to function upon expiration of the license;
previous data access provided by the software may be lost. Licenses are
usually available for single systems or for entire sites. LIMS management
should be vigilant to eliminate unlicensed software and maintain current
licenses for stand-alone personal computers. Supervisory personnel should
educate LIMS users on the importance of adhering to copyright law.
2-90 Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.6 Security, continued
VI. Minimum Safeguards by Asset:
Stand-alone, Networked, and Data Center Computing
Registering all copies of commercial software with the vendor can result in
significant cost savings in free user assistance, reduced price software
upgrades, or free replacement if the software is lost, stolen, or damaged.
", Viruses
A computer virus is an extra program hidden within an apparently normal
program or software package. The normal program or software is referred
to as the virus "host" or "Trojan Horse." Some viruses are relatively
harmless and only flash a message on the monitor before destroying
themselves. Others are truly malicious and modify or destroy programs and
data. One means to avoid viruses on stand-alone LIMS is to purchase only
commercially-produced software (although commercial software is not
immune to viruses, either), and to run a virus scanning program on every
diskette before reading the diskette or copying files from it. To combat
viruses, anumber of specialized programs or software "vaccines" have been
developed. Some are available at low cost, or through the operating system
vendor. New software should also be tested for viruses on stand-alone
computers. A relevant publication, NIST Special Publication 500-166,
Computer Viruses and Related Threats: A Management Guide (August
1989), should be consulted.
B. Networked Computing
Networked computing is highly vulnerable to security threats, because of
its use by large numbers of individuals throughout an organization or, in the
case of the Internet, the world. Due to their predominance on WANs such
as the Internet, workstations, minicomputers, and even mainframes histori-
cally were the prime targets of viruses and hackers. The lack of security and
Good Automated Laboratory Practices 2-91
Implementation Assistance
2185 1995 Ed 8/10/95
-------�
8.6 Security, continued
VI. Minimum Safeguards by Asset:
Stand-alone, Networked, and Data Center Computing
auditing software available for personal computer operating systems makes
these systems singularly ill-equipped to deal with sophisticated threats that
can exist on local or wide-area networks.
Networked LIMS computing is subj ect to the same physical and environmen-
tal threats as stand-alone or data center LIMS computing. Data integrity,
availability, and confidentiality of networked systems may be compromised
if the physical and environmental safeguards specified below are not fol-
lowed. Data integrity, availability, and confidentiality can be improved by
adherence to safeguards regarding the treatment of magnetic media, backups,
and by implementing safeguards to protect against viruses borne by a local or
wide-area network.
Networked computing should implement the minimum operating system and
application safeguards described below. Networked personal computers,
workstations, file servers, print servers, database servers, and minicomputers
that operate outside the confines of a data center should adhere to the
minimum safeguards described in A. Stand-alone Computing. Networked
data center computers should adhere to the operating system and application
safeguards (below) in addition to the safeguards described in . Data Center
Computing.
2. System Application
irilr Safegua
Minimum application security safeguards are implemented largely accord-
ing to the sensitivity of data stored within a LIMS system. The presence of
sensitive data on a LIMS necessitates more stringent measures than those
described below. For LIMS that process sensitive data on a multi-user
system, laboratory management should research the cited references (see
Notes at end of Discussion) for details regarding application security
safeguards for sensitive data. Safeguards can be applied to the operating
2-92
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed 8/10/95
-------�
8.6 Security, continued
VI. Minimum Safeguards by Asset:
Stand-alone, Networked, and Data Center Computing
system, commercial and internally developed software programs running on
the multi-user system, and data stored on the system.
Minimum operating system safeguards on a networked LIMS include:
implementation of individual username and password management pro-
grams
file access safeguards maintained by the data or file owner
assignment of operating system privileges only to systems management
personnel
monitoring of system events such as logon failures or break-in attempts
emergency, backup, disaster recovery, and contingency plans
application-specific safeguards
Usernames should be assigned and maintained by the individual or group
responsible for maintaining the LIMS. Usernames should be provided only
to individuals, whenever possible. If group IDs are necessary, they should be
assigned limited privileges and revoked as soon as feasible.
Password maintenance is ultimately the responsibility of the individual LIMS
user, but basic syntax rules are necessary, especially where the LIMS is
susceptible to password cracking schemes used by hackers through dial-up
modems, LANs, or WANs. Passwords should be:
1) a minimum of six characters in length,
2) consist of numerals and alphabetic characters,
3) changed at least once every 90 days, and
4) should avoid common names, words found in a dictionary, or repetitive
character sequences.
File access safeguards should be implemented to restrict the use of LIMS
data to only users with authorized access. Group or public file access should
Good Automated Laboratory Practices 2-93
Implementation Assistance
2185 1995 Ed 8/10/95
-------�
8.6 Security, continued
VI. Minimum Safeguards by Asset:
Stand-alone, Networked, and Data Center Computing
be discouraged. Assigning write or delete privileges to increasing numbers
of LIMS users effectively cancels several safeguards because of the increased
opportunity to modify the LIMS data.
Operating system privileges should be assigned very sparingly, and only to
those individuals working directly with the operating systems. Assigning
system privileges to the general user population causes a wide array of
security problems.
Whenever possible, a system for monitoring events such as logon failures or
break-in attempts should be implemented. After three failed logon attempts,
the account should be automatically disabled. Event logs should be reviewed
on a frequent, and regular, basis. Most minicomputer and mainframe
operating systems provide system event logging at no extra cost.
System and data backups (see C.4 Data Center Backups) are the keystone
of emergency, backup, disaster recovery, and contingency plans. A well
thought-out and tested plan is a significant safeguard against unforeseen
natural or man-made disasters. The plan includes notification procedures,
recovery operations, LIMS interim processing, and restoration planning.
Application-specific safeguards include the use of application-specific
usernames and passwords. The commercial database market includes nu-
merous database products that provide additional internal security safe-
guards, including application-specific usernames and passwords. Most of
these also have complex security protection schemes that grant and revoke
database privileges, read/write access, and group protections. In many ways,
these application protections are as sophisticated as their operating system
counterparts, and should be used to augment operating system safeguards.
2-94
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.6 Security, continued
VI. Minimum Safeguards by Asset:
Stand-alone, Networked, and Data Center Computing
C. Data Center Computing
Because data centers usually involve large, centralized LIMS, such as
mainframe computers, that also participate in local and wide area networks,
the security measures that apply to networked LIMS should apply to data
center computers. Security training of all data center computer users is
essential for maintaining data integrity, availability, and confidentiality.
Security awareness is important because enormous amounts of potentially
sensitive information are concentrated in one area and, frequently, among a
small number of large computer systems. Data availability can be compro-
mised by failure to adhere to physical and environmental safeguards. Data
integrity and availability are improved by backup and change control prac-
tices.
At least one person, or functional group, should be assigned the overall
responsibility for maintaining LIMS security. A responsible person (see
8.1,6) or group should have the authority and opportunity to contribute to
policy decisions regarding the security topics discussed within this section
(physical and environmental, safeguards, backups, etc.). All LIMS data
center users should be provided with security' awareness training. Because
most data centers include a complex local area network, and involve interac-
tive logons, users should be provided with training in password maintenance
and file protections.
Good Automated Laboratory Practices 2-95
Implementation Assistance
2185 1995 Ed 8/10/95
-------�
8.6 Security, continued
VI. Minimum Safeguards by Asset:
Stand-alone, Networked, and Data Center Computing
J« Physical and Environmental Safeguards
LIMS data center management should strive to locate the data center away
from the ground floor, frequently traveled or easily accessible areas, and
potential sources of explosions (e.g., boiler rooms, hot water heaters). When
choosing a site, take advantage of existing physical security. Limit the
number of doors and entrances to those needed for safe and efficient
operations. Install and use locks on all windows and doors.
When possible, locate master power switches near emergency exits. The
switch should cut off all power to the LIMS and, if possible, should also turn
off the air conditioning system if it is not designed to filter out smoke.
Use fire extinguishers designed to avoid damage to computer equipment, and
mount them in visible, accessible areas. Install smoke and heat detectors.
Avoid installing the computer room underneath water pipes or steam pipes.
If this is not possible, use water sensors to detect water seepage. If practical,
store waterproof plastic in a visible, accessible location so that it can be
draped over equipment in an emergency.
Prohibit eating, drinking, and smoking in the computer room. To reduce dust,
avoid coat racks, throw rugs, Venetian blinds, and other furnishings that
collect dust and static electricity. Vacuum carpeted areas frequently. Control
static electrical charges by using anti-static carpeting or sprays. To reduce fire
hazards, never store flammable materials in the computer room. Keep on-site
paper supplies to a minimum.
4,
A precise set of criteria for determining how often to make backups cannot
be provided. Frequency of modifications to data files, cumulative develop-
ment time, and mission criticality of on-line data are key factors to consider.
2-96 Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.6 Security, continued
VI. Minimum Safeguards by Asset:
Stand-alone, Networked, and Data Center Computing
Backups are a key element in disaster recovery plans, and should occur on a
regular and published schedule. The resultant backup media and recover}'
procedures should be tested frequently to ensure that backup procedures are
working correctly. The appropriate backup media can vary and can include
diskettes, cartridge tapes, removable disk cartridges, or remote hosts such as
minicomputers. LAN server backups should occur on aregular and published
schedule. More than one person within an organization should have the
knowledge required to perform backups to avoid backup schedule interrup-
tions due to personal leave or termination.
Threats to integrity, availability, and confidentiality are introduced through
unauthorized change to hardware or software. To help achieve effective
change control, laboratory7 management shall maintain accurate records of
hardware and software inventories, configurations, and locations (see 8.5,4
and 8.7.2); and shall comply with the terms of software licensing agreements.
Prescribe a standardized, formalized method of introducing changes to both
software and hardware (see 8.5,1 .3 and &,1.2). To ensure data availability,
prepare a contingency plan, or other procedure to revert to a previous version
of the software, in the event that the change does not work as intended.
SPECIAL
CONSIDERATIONS
EPA Information Security Manual is currently being
revised and is in internal review.
Good Automated Laboratory Practices 2-97
Implementation Assistance
2185 1995 Ed 8/10/95
-------�
8.6 Security, continued
Notes...
Federal statues that set the criteria for sensitive data include Computer Security Act of
1987, OMB Circular A-l 30, OMB Bulletin No. 90-08, "Guidance for Preparation of
Security Plans for Federal Computer Systems that Contain Sensitive Information "
(July 9, 1990), EPA Information Security Manual (December 1989), and EPA
Operations and Maintenance Manual (April 1990).
For additional information on computer viruses, see: NIST Special Publication 500-
166, Computer Viruses and Related Threats: A Management Guide (August 1989).
For more information on security, see NIST computer security standards and
guidance, "Computer Security Clearinghouse," at this Internet World Wide Web
address: http://csrc.ncsl.nist.gov/
See Chapter 1,11. SOURCES for addresses and ordering information.
2-98 Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.7
HARDWARE
Good Automated Laboratory Practces
Implementation Assistance
2185 1995 Ed, 8/10/95
2-99
-------�
8.7 Hardware
1) Design
When LIMS Raw Data are collected, analyzed, processed, or maintained, labora-
tory management shall ensure that LIMS hardware and communications compo-
nents are:
1) of adequate design and capacity, and a description is documented and
maintained.
EXPLANATION
DISCUSSION
LIMS hardware and communications components shall be config-
ured to meet user performance requirements. The LIMS shall be
designed to ensure LRD integrity, availability, and confidentiality
(see 8.6). Storage capacity and response times must meet user needs.
A system configuration description shall be documented and main-
tained, and include descriptions of all hardware and communication
components. Documentation describing the LIMS hardware, in-
cluding installation specifications, functions, and usage, should be
current and available to laboratory personnel responsible for use and
maintenance.
Proper performance of the LIMS hardware and communications
components is often dependent on the capacity of the system and the
appropriate configuration of the components. Periodic review of
LIMS design may be valuable in assessing the need for modifica-
tions to improve productivity, reduce risk of malfunction, and
improve LRD integrity, availability, and confidentiality (see 8.6
Discussion).
Maintaining a current description of the LIMS hardware and com-
munications components assists maintenance personnel in tracking
problems with the equipment and in repair and replacement, and
assists LIMS personnel in assessing current functionality and future
needs.
2-100
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.7 Hardware
1) Design
Notes...
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed 8/10/95
2-101
-------�
8.7 Hardware
2) Installation and Operation
When LIMS Raw Data are collected, analyzed, processed, or maintained, laboratory
management shall ensure that LIMS hardware and communications components are:
2) installed and operated in accordance with manufacturer's recommendations
and, at installation, undergo acceptance testing that conforms to acceptance
criteria. SOPs shall be established and maintained to define the acceptance
criteria, testing, documentation, and approval required for changes to LIMS
hardware and communications components.
EXPLANATION
DISCUSSION
Installation shall be according to manufacturer's specifications,
unless otherwise documented, and shall be tested in conformance
with documented acceptance test criteria before the hardware and/
or communications components are determined to be acceptable for
use in the LIMS. The installation site should be planned to facilitate
use and maintenance of the hardware and communications compo-
nents.
The laboratory shall develop SOPs for acceptance criteria, testing,
documentation, and final approval of LIMS hardware and commu-
nications components installation and changes. The SOPs shall be
readily available to all personnel with responsibility for modifica-
tion or changes to LIMS hardware and communications compo-
nents.
The SOPs shall require that changes are described and documented.
The documentation shall include testing and quality assurance
criteria and test results, the authorization approval needed prior to
implementation of changes or modifications, and dates of each
activity.
Evaluating user performance requirements is the first step in LIMS
hardware modification or enhancement. New user requirements
should be periodically reviewed by laboratory management.
2-102
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
Notes...
8.7 Hardware
2) Installation and Operation
Vendor documentation can be obtained for guidance with installa-
tion and initial acceptance testing. Diagnostics provided with
equipment and normally indicated in the documentation can demon-
strate performance in accordance with specifications. However,
additional testing beyond vendor components specifications may be
necessary to adequately demonstrate proper functioning of changes
to LIMS hardware and communications components prior to their
actual usage on the LIMS.
Laboratory management should not risk using inadequately tested
equipment to receive, store, or manipulate LRD. Laboratory man-
agement should review all testing results and documentation before
approving hardware and communications components and return-
ing them to production.
Good Automated Laboratory Practices 2-103
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.7 Hardware
3) Maintenance
When LIMS Raw Data are collected, analyzed, processed, or maintained, laboratory
management shall ensure that LIMS hardware and communications components are:
3) adequately tested, inspected, and maintained. SOPs for and documentation
of these routine operations shall be maintained. Documentation of non-
routine maintenance shall also include a description of the problem, the
corrective action, acceptance testing criteria, and the acceptance testing
performed to ensure that the LIMS hardware and communications
components have been adequately repaired.
EXPLANATION
DISCUSSION
Periodic maintenance of LIMS hardware and communications com-
ponents shall be performed and include testing and inspecting. The
purpose of these routine maintenance operations is to ensure the
integrity of LRD. The frequency of these routine maintenance
operations shall be described in the SOPs and shall comply with
manufacturer's specifications. SOPs shall be developed to describe
the operations and the documentation required.
Documentation of the regularly scheduled LIMS hardware and
communications components maintenance operations shall be main-
tained and include: descriptions of operations performed, the names
of persons who conducted them, dates operations were performed,
and the results.
All repair of malfunctioning or inoperable LIMS hardware and
communications components shall be documented and include: a
description of the problem, correction action taken, acceptance
testing criteria, and the testing performed to ensure proper perfor-
mance prior to returning the LIMS hardware and communications
components to production.
Only personnel with training and experience in testing, inspecting,
and maintenance should be authorized to perform these functions.
A program of testing, inspecting, and routine maintenance opera-
2-104
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.7 Hardware
3) Maintenance
SPECIAL
CONSIDERATIONS
tions should be instituted and designed to assure continued proper
operation of the LIMS. The maintenance program and procedures
should be determined by the vulnerability of the LIMS.
All maintenance specified in the SOPs, whether performed by in-
house personnel or outside contractors, should be included in the
documentation. The operations maintenance documentation should
be kept with the hardware and communications components for
ready access.
A "repair log" may be used to document non-routine maintenance
performed on the LIMS. It should be easily accessible to the LIMS
personnel responsible for updating the log and to the personnel using
the LIMS hardware and communications components. This docu-
mentation should be retained for as long as needed to support
evidence of LRD integrity, or longer if required by other regulations
(see S.9), and should be reviewed on a regular basis by LIMS
management. When repairs are performed by the manufacturer's
service representative or other outside personnel, a written report is
usually provided. This report can be helpful to document the
problem and should be retained. Centralized responsibility for
contacting outside service support and maintaining the documenta-
tion of service calls may prove beneficial to organization and record
keeping. For in-house service, forms may be established to docu-
ment the required information for the repair log.
Notes...
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
2-105
-------�
2-106 Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed 8/10/95
-------�
8.8
COMPREHENSIVE
TESTING
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
2-107
-------�
8.8 Comprehensive Testing
When LIMS Raw Data are collected, analyzed, processed, or maintained,
laboratory management shall ensure that comprehensive testing of LIMS
performance is conducted, at least once every 24 months or more frequently
as a result of software (see 8.5.2) or hardware (see 8.7,2) changes or modifica-
tions. These tests shall be documented and the documentation shall be re-
tained and available for inspection or audit.
EXPLANATION
DISCUSSION
SPECIAL
CONSIDERATIONS
In order to ensure ongoing LIMS reliability, performance, and
accuracy, comprehensive testing of the LIMS shall be conducted at
least once every 24 months.
This testing should also include a complete document review (SOPs;
change, security, and training documentation; error logs; problem
reports; disaster plans, etc.). Laboratories that change LIMS soft-
ware or hardware within the 24-month interval shall conduct accep-
tance testing as required by 8.5.2 and 8.7.2.
A comprehensive testing team can be assembled that may include
LIMS users, support personnel, and laboratory management, so that
the interests and skills of these individuals can be addressed in the
testing process. A test data set can be developed that significantly
exercises all important functions of the system. This test data set can
then be retained and re-used for future system tests. It may have to
be enhanced if new functionality is added to the system. System test
protocols and test objectives can be developed and re-used. A
checklist can be developed to ensure that all important areas of
testing and document review are addressed.
Consultation with QAU personnel during comprehensive testing
may be advantageous. However, QAU's independence from LIMS
staff must be maintained (see 8.3.1).
2-108
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.8 Comprehensive Testing
Notes...
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
2-109
-------�
2-110 Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.9
RECORDS
RETENTION
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed 8/10/95
2-111
-------�
8.9 Records Retention
Laboratory management shall ensure that retention of LIMS Raw Data,
documentation, and records pertaining to the LIMS comply with EPA
contract, statute, or regulation; and SOPs for retention are documented,
maintained, and managed as described in 8.11.
EXPLANATION
DISCUSSION
Laboratory management shall ensure that LRD and all LIMS-related
data or documentation are retained by the laboratory for the period
specified in the EPA contract, regulation, or statute, and that SOPs
for retention are documented, maintained, and managed as de-
scribed in 8.11.
Contract clauses or EPA statutes pertinent to record retention
periods can be copied and forwarded to a person designated to
manage records retention, who can monitor compliance and dis-
posal or destruction, as appropriate, when retention periods have
expired. This individual can be responsible for determining reten-
tion periods for any records lacking such information, can ensure
that the storage media used is adequate to meet retention require-
ments, and can institute procedures to copy data stored on magnetic
media whose retention capabilities do not meet requirements (see
also 8.10.2).
2-112
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.9 Records Retention
Notes...
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed 8/10/95
2-113
-------�
2-114 Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.10
FACILITIES
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed 8/10/95
2-115
-------�
8.10 Facilities
1) Environment
When LIMS Raw Data are collected, analyzed, processed, or maintained, laboratory
management shall ensure that:
1) the environmental conditions of the facility housing the LIMS are regulated to
protect against LIMS Raw Data loss.
EXPLANATION
DISCUSSION
The LIMS shall be housed in an environment that allows it to
operate correctly. Control systems should be applied to all environ-
mental factors that might affect LRD loss or integrity. At a
minimum, LIMS hardware should be installed in accordance with
the environmental standards specified by the manufacturer. Con-
trol systems (see 8.6 Minimum Safeguards Discussion) should
ensure:
proper temperature and humidity
freedom from dust and debris
adequate power supply and grounding
protection from power surges and spikes
fire detection and suppression
water detection and suppression
protection from natural disasters
The provisions to regulate environmental conditions are discussed
in greater detail in 8.6 Minimum Safeguards by Asset. The
provisions are summarized here to emphasize their importance.
Climate control systems
LIMS hardware should be installed according to manufacturer's
climate specifications. Heating, ventilation, and air conditioning
dedicated to the computer room or other location where hardware is
installed should be considered. Monitoring or control devices for
temperature and humidity are usually installed. Backup climate
control systems may be worthwhile if time is critical.
2-116
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.10 Facilities
1) Environment
Power provision
Power supplies should comply with the computer hardware manu-
facturer specifications. It may be appropriate to install backup
power supply systems where electrical outage would cause critical
loss or where electrical outage frequently occurs.
Fire and water control systems
Detection and suppression devices for fire and water should be
considered. A sprinkler system may be suitable for some facilities,
but a CO2 system may be suitable for others.
Protection against natural disasters
The facility should be designed and protected according to geo-
graphic conditions. Where earthquakes are likely, housing should
be examined for potential destruction of the LIMS and its data.
Where tornadoes are likely, consideration should be given to
locating computer equipment on lower levels of the facility. Where
flooding is likely, consideration should be given to locating com-
puter equipment on upper levels of the facility.
Operating procedures
Routing procedures for checking and maintaining detection and
suppression devices will ensure that devices are in working order.
Additional procedures may be established that describe how to
operate the LIMS during emergency situations (for example, pow-
ering down).
Notes... v
Good Automated Laboratory Practices 2-117
Implementation Assistance
2185 1995 Ed 8/10/95
-------�
8.10 Facilities
2) LIMS Raw Data Storage
When LIMS Raw Data are collected, analyzed, processed, or maintained, laboratory
management shall ensure that:
2) environmentally adequate storage capability for retention of LIMS Raw Data,
LIMS Raw Data storage media, documentation, and records
pertaining to the LIMS are provided.
EXPLANATION
DISCUSSION
Environmentally satisfactory and adequate storage space shall be
available for LRD, LRD storage media, and documentation and
records (which may be retained in hard copy format or on magnetic
or optical media).
Operations personnel should maintain an adequate supply of re-
quired tapes, magnetic disks, and/or optical disks and ensure that
storage space is sufficient to meet current and anticipated needs.
Storage facilities for retention of LRD in hard copy or electronic
format must be available and environmentally satisfactory for the
LRD storage media. At a minimum, the storage facility should have
a heating, ventilation, and air conditioning system to control tem-
perature and humidity that will meet the storage condition specifi-
cations of the specific media.
Offsite storage is recommended for backups. Backups can be cycled
through the offsite location. For example, the most recent backup
may be kept on the premises while the previous backup is kept
offsite. This procedure retains the most recent version onsite for
convenience while securing another version offsite for use in the
event of disaster. Offsite storage facilities must have the same
environmental control and security systems required of onsite
storage facilities. In addition, fire and water control systems and
protection against natural disasters should be considered as dis-
cussed in 8.10.1.
2-118
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.10 Facilities
2) LIMS Raw Data Storage
SPECIAL
CONSIDERATIONS
National Bureau of Standards Special Publication 500-101, Care
and Handling of Computer Magnetic Storage Media provides
guidelines for appropriate protective measures and factors for
evaluating exposure for the storage of electronic information. This
publication provides guidelines for performing automated data
processing risk analysis, which includes the condition of the storage
facility.
Notes...
For additional guidance, see: U.S. Department of Commerce National Bureau of
Standards (NBS) Special Publication 500-101, Care and Handling of Computer
Magnetic Storage Media, June 1983.
See Chapter 1,11. SOURCES for addresses and ordering information.
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
2-119
-------�
2-120 Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.11
STANDARD
OPERATING
PROCEDURES
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
2-121
-------�
8.11 Standard Operating Procedures
1) Availability
Laboratory management shall ensure that:
1) SOPs include, but are not limited to, those specified in 8,4.1, 8.4.4, 8,4.5,
8.5.1,1 through 8.5.1,5, 8,7.2, 8.7.3, and 8.9. Each current SOP shall be
readily available where the procedure is performed.
EXPLANATION
SOPS shall be established and maintained for, but not limited to:
LIMS Raw Data and LIMS Raw Data storage media identifica-
tion and documentation (8.4.1)
LRD verification (8.4,4)
LRD changes (8.4.5)
Software development methodologies (8,5.1.1)
Software testing and quality assurance (8.5.1.2)
Software change control (8.5.1.3)
Software version control (8.5.1.4)
Software historical file (8.5.1.5)
Hardware changes (8.7.2)
Hardware testing, inspection, and maintenance (8.7.3)
Records retention (8.9)
Each current SOP or copy shall be placed in a location that allows
LIMS staff who are responsible for performing the procedure easy
and immediate access to it.
This proximity of the SOP to the LIMS personnel provides assur-
ance that the approved procedures are accessible. When changes to
an SOP are approved, the new version of the SOP shall be provided
to the LIMS staff responsible for following the procedure. The
2-122 Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.11 Standard Operating Procedures
1) Availability
DISCUSSION
previous version shall be removed from the work area and retired
according to 8.11.4. If multiple staff perform the same procedure in
different locations, copies of SOPs shall be available in each loca-
tion. When LIMS staff changes occur, the replacement staff shall be
provided with the SOPs.
If multiple copies of SOPs exist, then maintaining the originals in a
secure location is recommended (see also 8,11.4). Laboratory
management should ensure that all copies of SOPs are kept current
and that copies of retired versions of SOPs are removed from
circulation.
Notes...
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
2-123
-------�
8.11 Standard Operating Procedures
2) Periodic Review
Laboratory management shall ensure that:
2) SOPs are periodically reviewed at a frequency adequate to ensure that
they accurately describe the current procedures.
EXPLANATION
DISCUSSION
SPECIAL
CONSIDERATIONS
It is laboratory management's responsibility to establish and ensure
that current SOPs accurately document current LIMS activities.
Laboratory management shall ensure that SOPs are reviewed at a
frequency adequate to assure the integrity of LIMS Raw Data.
The adequacy of SOPs is laboratory management's responsibility;
therefore, direct and frequent communication with LIMS staff is
implied. The QAU can assist laboratory management in assuring
that the SOPs are current by reporting any differences between an
SOP and the corresponding LIMS activity. Inspections, and SOP
review can be used by the QAU for this purpose (see 8.3.3 and
83.4).
Changes in critical LIMS support staff or major LIMS hardware
and software changes are important milestones for the QAU or
laboratory management to review the accuracy of SOPs with
respect to LIMS activities.
2-124
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.11 Standard Operating Procedures
2) Periodic Review
Notes...
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed 8/10/95
2-125
-------�
8.11 Standard Operating Procedures
3) Authorization and Change
Laboratory management shall ensure that:
3) SOPs are authorized and changed in accordance with 8.1.5.
EXPLANATION
DISCUSSION
SOPs set forth and document the methods that assure laboratory
management of the integrity of LIMS Raw Data. Thus, laboratory
management shall authorize each SOP and any subsequent changes
to the SOP. The previous version or copy of the SOP shall be
retained according to 8.11.4.
Authorization of SOPs and all changes to SOPs by laboratory
management ensures that procedures are consistent with all labora-
tory policies and requirements. It allows management to exercise
control of the activities of the laboratory operations. This also
communicates to the LIMS staff the importance of compliance with
the approved SOPs. See 8.1.5 for further discussion.
2-126
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed 8/10/95
-------�
8.11 Standard Operating Procedures
3) Authorization and Change
Notes...
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
2-127
-------�
8.11 Standard Operating Procedures
4) Historical File
Laboratory management shall ensure that:
4) a historical file of SOPs is maintained.
EXPLANATION
DISCUSSION
SPECIAL
CONSIDERATIONS
All versions of SOPs, including retired SOPs, shall be maintained in
historical files. The effective dates of each SOP shall be indicated.
Retired SOPs shall be retained in accordance with 8.9.
A centralized historical file or files of SOPs may be an advantage
because of the assurance that the file is properly maintained and
effectively managed. However, larger LIMS operations may appro-
priately maintain separate historical files of SOPs critical to LIMS
Raw Data integrity. Depending on the LIMS operations, multiple
historical files may be preferable over a single file for all SOPs.
Historical files of SOPs may be stored on magnetic media. How-
ever, storage conditions must be consistent with 8,10.2 so that the
SOPs remain available over time.
2-128
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed. 8/10/95
-------�
8.11 Standard Operating Procedures
4) Historical File
Notes...
Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed 8/10/95
2-129
-------�
2-130 Good Automated Laboratory Practices
Implementation Assistance
2185 1995 Ed 8/10/95
-------�
GOOD AUTOMATED LABORATORY PRACTICES 2185 1995 Ed.
8/10/95
SOURCES
Page 1 of 2
Copies of the Federal information resources management publications referenced in the
GALP can be ordered via mail, telephone, or the Internet.
This is a Federal regulation and should be available in local public libraries.
The Internet World Wide Web address is:
http://www.first.org/secplcy/csa_87.txt
{'DfVlBj publications
Office of Management and Budget
Assistant Director of Administration
OMB Publications
725 17th Street, NW
Washington, D.C. 20503
telephone: (202) 395-7332 (then press 2)
The Internet addresses for OMB publications are:
World Wide Web: http://www2.infoseek.com/Titles7qrNDMB
Gopher: gopher://pula.fmancenet.gov:70/l 1/docs/central/omb
-------�
2185 1995 Ed. GOOD AUTOMATED LABORATORY PRACTICES
8/10/95
SOURCES
Page 2 of 2
Copies of the Federal information resources management publications referenced in the
GALP can be ordered via mail, telephone, or the Internet.
U.S. Environmental Protection Agency
OARM/FMSD
Publication Distribution Section
Mailcode 3204
401 M St., SW
Washington, D.C. 20460
telephone: (202) 260-5797
For OIRM Automated Laboratory Standards publications, contact:
Rick Johnson Voice: (919)541-1132
EPA (MD-34) Fax: (919) 541-1383
RTF, NC 27711 Internet: johnson.rick@epamail.epa.gov
The Internet addresses for EPA IRM documents are:
World Wide Web: http://www.epa.gov/docs/IRMPolicy.html
Gopher: gopher://gopher.epa.gov:70/l 1/Initiatives/IRM.Policy
and Technology (NISTjand
of
National Technical Information Service The Internet World Wide Web
U. S. Department of Commerce address for NIST is:
5285 Port Royal Road http://www.ncsl.nist.gov
Springfield,VA22161
(703) 487-4650 The Internet World Wide Web
address for FTPS Publications is:
http://www.ncsl.nist.gov/fips/
-------�
2185 1995 Ed
8/10/95
GOOD AUTOMATED LABORATORY PRACTICES
Contents
Chapter 2 Implementation Assistance
1. Principles 2-1
2. Implementation Key 2-3
Implementation Listing
This section is divided into 11 sections which discuss each of the 41 GALP provisions. 8.1
through 8.11 (numbered with reference to Chapter 1). It is intended to provide laboratory'
management and personnel with additional information to assist in implementing each
specific GALP. While atypical situations may require further recommendations and
procedures, the explanatory comments, discussion, and special considerations are provided
to laboratories to implement the GALP provisions successfully and cost-effectively.
8.1 Laboratory Management 2-6
1) Personnel 2-6
2) Quality Assurance Unit 2-8
3) Personnel, Resources, and Facilities 2-10
4) Quality Assurance Report 2-12
5) Approving SOPs and Documenting Deviations 2-14
6) Compliance With GALP Provisions 2-16
8.2 Personnel 2-20
1) Education 2-20
2) Training 2-22
3) Number of Persons 2-24
8.3 Quality Assurance Unit 2-28
1) Independent QAU 2-28
2) Documentation Availability 2-30
3) Inspections 2-32
4) Deviations 2-34
5) LIMS Raw Data Audit 2-36
6) Records 2-38
2-1
-------�
2185 1995 Ed.
8/10/95
GOOD AUTOMATED LABORATORY PRACTICES
Contents
8.4 LIMS Raw Data 2-42
1) Identification and Documentation 2-42
2) Entry and Recording Person 2-44
3) Instrument Identification 2-46
4) Verification 2-48
5) Changes 2-50
8.5 Software 2-54
1) Standard Operating Procedures 2-54
1) Development Methodology 2-54
2) Testing and Quality Assurance 2-56
3) Change Control 2-58
4) Version Control 2-60
5) Historical File 2-62
2) Documentation 2-64
1) Existing and Commercially-Available Systems 2-64
2) New Systems 2-68
3) Availability of Documentation 2-72
4) Historical File 2-74
8.6 Security 2-78
I. Security Objectives 2-80
II. Assets 2-81
III. Threats 2-82
IV. Risk Analysis 2-83
V. Risk Management 2-84
VI. Minimum Safeguards by Asset: Stand-alone, Networked, and
Data Center Computing 2-86
A. Stand-alone Computing 2-88
B. Networked Computing 2-91
C. Data Center Computing 2-95
I 8.7 Hardware 2-100
1) Design 2-100
2) Installation and Operation 2-102
3) Maintenance 2-104
2-ii
-------�
2185 1995 Ed
8/10/95
GOOD AUTOMATED LABORATORY PRACTICES
Contents
8.8 Comprehensive Testing 2-108
8.9 Records Retention 2-112
8.10 Facilities 2-116
1) Environment 2-116
2) LIMS Raw Data Storage 2-118
8.11 Standard Operating Procedures 2-122
1) Availability 2-122
2) Periodic Review 2-124
3) Authorization and Change 2-126
4) Historical File 2-128
2-iii
-------� |