Difference between revisions of "LII:LIMSpec/Specialty Laboratory Functions"

From LIMSWiki
Jump to navigationJump to search
Line 1: Line 1:
__NOTOC__
__NOTOC__


==17. Production Management==
==17. Production management==
{{LIMSpec/Production management}}
{{LIMSpec/Production management}}



Revision as of 15:11, 20 September 2019


17. Production management

Regulation, Specification, or Guidance Requirement
21 CFR Part 211.103
21 CFR Part 226.40 (d)
WHO Technical Report Series, #986, Annex 2, 16.4 and 16.20
17.1 The system should be able to calculate and record theoretical and actual percentage of yield at various phases of processing, manufacturing, and packaging.
21 CFR Part 211.103 17.2 The system should provide a means for verification and approval of yield calculations before release for reporting.

21 CFR Part 820.20
21 CFR Part 820.40
21 CFR Part 820.186
E.U. Commission Directive 2003/94/EC Article 11
WHO Technical Report Series, #986, Annex 2, 1.0

17.3 The system shall be able to maintain a production facility's quality system in a specific quality system record, in accordance with regulations and guidance such as 21 CFR Part 820.20 and 820.40 (U.S.), E.U. Commission Directive 2003/94/EC Article 11 (E.U.), and WHO Technical Report Series, #986, Annex 2, 1.0 (global).
21 CFR Part 820.30
21 CFR Part 820.120 (e)
17.4 The system shall be able to create a design control document capable of recording the details surrounding device development, including control number, physical and performance requirements, final output, review, verification, approval, transfer, changes, and complete design history.
21 CFR Part 820.181
21 CFR Part 820.184
17.5 The system shall be able to create a device master and device history record capable of recording all information described in 21 CFR Part 820.181 and 820.184.

21 CFR Part 106.6
21 CFR Part 111.255–260
21 CFR Part 114.100 (b)
21 CFR Part 211.105 (b)
21 CFR Part 211.130 (e)
21 CFR Part 211.134 (c)
21 CFR Part 211.188
21 CFR Part 211.20 (d)
21 CFR Part 211.50 (c)
21 CFR Part 225.102
21 CFR Part 225.202
21 CFR Part 226.80
21 CFR Part 226.102
21 CFR Part 820.60
21 CFR Part 820.70 (a)
21 CFR Part 820.80 (c)
21 CFR Part 820.120 (d)
BRC GSFS, Issue 8, 6.1.1
Codex Alimentarius CXC 1-1969, Ch.1, 7.1.1
Codex Alimentarius CXC 1-1969, Ch.1, 8.1
E.U. Commission Directive 2003/94/EC Article 9.1
FDA Hazard Analysis Critical Control Point Principle 2 and 4
FDA Hazard Analysis Critical Control Point Principle 7
GFSI Benchmarking Rqmts., v2020.1, Part 3, A1, A2, B1, B2, B3, C0, C1, C2, C3, C4, D, I, K - FSM 11
IFS Food 7, Part 2, 4.2.1.1
IFS Food 7, Part 2, 4.18.1
IFS PACsecure 2, Part 2, 4.2.1.1
IFS PACsecure 2, Part 2, 4.18.1
Safe Food for Canadians Regulations SOR/2018-108 Division 3, 48 (3)
SQF FSC 9, Food Manufacturing, Part B, 2.3.1–2
SQF FSC 9, Pet Food Manufacturing, Part B, 2.3.1–2
SQF FSC 9, Manufacture of Food Packaging, Part B, 2.3.1–2
WHO Technical Report Series, #986, Annex 2, 2.1 (a) and (f–g)
WHO Technical Report Series, #986, Annex 2, 15.25–30

17.6 The system shall be able to create a batch production record capable of recording complete information regarding batch production and control details such as, but not limited to, a unique batch, lot, or production run number; formulation; specific labeling and packaging; production steps; in-process and laboratory control results; the unique identifier of any equipment used; persons performing and/or supervising operational steps; and the results of any pre-process or post-production inspections.

21 CFR Part 106.6
21 CFR Part 106.100 (e)
21 CFR Part 111.205–210
21 CFR Part 114.100 (b)
21 CFR Part 211.186
21 CFR Part 212.50 (b)
21 CFR Part 225.102
21 CFR Part 226.102
BRC GSFS, Issue 8, 3.6.2
BRC GSFS, Issue 8, 9.2.1
Codex Alimentarius CXC 1-1969, Ch.1, 7.1.2
FDA Hazard Analysis Critical Control Point Principle 7
GFSI Benchmarking Rqmts., v2020.1, Part 3, A1, A2, B1, B2, B3, C0, C1, C2, C3, C4, D, I, K - FSM 10.1
GFSI Benchmarking Rqmts., v2020.1, Part 3, A1, A2, B1, B2, B3, C0, C1, C2, C3, C4, D, I, K - FSM 11
IFS Food 7, Part 2, 4.2.1.1
IFS PACsecure 2, Part 2, 4.2.1.1
SQF FSC 9, Food Manufacturing, Part B, 2.3.1–2
SQF FSC 9, Pet Food Manufacturing, Part B, 2.3.1–2
SQF FSC 9, Manufacture of Food Packaging, Part B, 2.3.1–2
WHO Technical Report Series, #986, Annex 2, 15.22–23

17.7 The system shall be able to create a master production and control record capable of recording complete information regarding master production and control details.

21 CFR Part 106.100 (e)
21 CFR Part 111.123 (a)
21 CFR Part 114.100 (c)
21 CFR Part 117.150 (d)
21 CFR Part 211.100
21 CFR Part 211.186
21 CFR Part 212.50 (b)
61 FR 38806, 9 CFR Part 417.3
BRC GSFS, Issue 8, 9.2.4
E.U. Commission Directive 2003/94/EC Article 10.3–4
GFSI Benchmarking Rqmts., v2020.1, Part 3, A1, A2, B1, B2, B3, C0, C1, C2, C3, C4, D, I, K - FSM 10.2
IFS Food 7, Part 2, 4.2.1.2
IFS Food 7, Part 2, 4.3.x
IFS Food 7, Part 2, 5.11
IFS PACsecure 2, Part 2, 4.2.1.2
IFS PACsecure 2, Part 2, 4.3.x
IFS PACsecure 2, Part 2, 5.11
SQF FSC 9, Food Manufacturing, Part B, 2.3.1–2
SQF FSC 9, Pet Food Manufacturing, Part B, 2.3.1–2
SQF FSC 9, Manufacture of Food Packaging, Part B, 2.3.1–2
WHO Technical Report Series, #986, Annex 2, 2.1 (a–b)
WHO Technical Report Series, #986, Annex 2, 4.0

17.8 The system shall require a new or modified master production and control record to be validated, reviewed, and approved before being implemented into production, including allowing that record to be electronically signed by one or more authorized individuals upon approval. If discrepancies or other errors are found, the system shall also allow authorized individuals to document corrective action taken to resolve those errors, including conclusions and follow-up activity.

21 CFR Part 111.123 (a)
21 CFR Part 114.100 (c)
21 CFR Part 117.150 (d)
21 CFR Part 211.22
21 CFR Part 211.192
21 CFR Part 820.70 (b)
21 CFR Part 820.75
61 FR 38806, 9 CFR Part 417.3
E.U. Commission Directive 2003/94/EC Article 10.3
IFS Food 7, Part 2, 4.2.1.2
IFS Food 7, Part 2, 4.3.x
IFS Food 7, Part 2, 5.11
IFS PACsecure 2, Part 2, 4.2.1.2
IFS PACsecure 2, Part 2, 4.3.x
IFS PACsecure 2, Part 2, 5.11
SQF FSC 9, Food Manufacturing, Part B, 2.3.1–2
SQF FSC 9, Pet Food Manufacturing, Part B, 2.3.1–2
SQF FSC 9, Manufacture of Food Packaging, Part B, 2.3.1–2
WHO Technical Report Series, #986, Annex 2, 2.1 (a–b, f)
WHO Technical Report Series, #986, Annex 2, 4.0

17.9 The system shall require a new or modified production and control record to be validated, reviewed, and approved before being implemented in production. If discrepancies or other errors are found, the system shall also allow authorized individuals to document corrective action taken to resolve those errors, including conclusions and follow-up activity.

21 CFR Part 211.110
21 CFR Part 212.50
21 CFR Part 820.80 (c)
FDA Hazard Analysis Critical Control Point Principle 4
ISO/TS 22002-1:2009, 14.3

17.10 The system shall be able to indicate if a sample consists of an in-process manufacturing material and track characteristics of the in-process material such as identity, strength, quality, purity, and approval status.
21 CFR Part 211.111 17.11 The system shall provide a means to track the amount of time between production processes.

21 CFR Part 106.6
21 CFR Part 106.80
21 CFR Part 106.100 (f-6)
21 CFR Part 117.420
21 CFR Part 211.122 (c)
21 CFR Part 211.184
21 CFR Part 212.20 (b)
21 CFR Part 212.40 (c) and (e)
21 CFR Part 225.42
21 CFR Part 226.40 (b)
21 CFR Part 226.42
21 CFR Part 606.120 (b)
21 CFR Part 820.60
21 CFR Part 820.80 (b)
21 CFR Part 820.120 (b)
BRC GSFS, Issue 8, 3.6.1
BRC GSFS, Issue 8, 3.9.2
BRC GSFS, Issue 8, 5.4.4
BRC GSFS, Issue 8, 3.5.1
BRC GSFS, Issue 8, 9.5.1–2
Codex Alimentarius CXC 1-1969, Ch.1, 7.2.8
GFSI Benchmarking Rqmts., v2020.1, Part 3, A1, A2, B1, B2, B3, C0, C1, C2, C3, C4, I, K - FSM 14.1.1
GFSI Benchmarking Rqmts., v2020.1, Part 3, D - FSM 14.1.2
GFSI Benchmarking Rqmts., v2020.1, Part 3, D - FSM 14.1.3
GFSI Benchmarking Rqmts., v2020.1, Part 3, B3, C0, C1, C2, C3, C4, D, I, K - GMP 17
IFS Food 7, Part 2, 4.5.2
IFS Food 7, Part 2, 4.18.1
IFS PACsecure 2, Part 2, 4.5.2
IFS PACsecure 2, Part 2, 4.18.1
ISO/TS 22002-1:2009, 9.3
ISO/TS 22002-1:2009, 14.2
ISO/TS 22002-4:2013, 4.6.3
ISO/TS 22002-4:2013, 4.11.2
ISO/TS 22002-6:2016, 4.6.3
ISO/TS 22002-6:2016, 4.11.2
Safe Food for Canadians Regulations SOR/2018-108 Part 5, 90
WHO Technical Report Series, #986, Annex 2, 14.4, 14.15, and 14.21
WHO Technical Report Series, #986, Annex 2, 15.32–33

17.12 The system shall be capable of documenting the receipt of non-sample, -standard, and -reagent materials (e.g., formulated drugs, drug components, raw ingredients, medical devices, labeling, and packaging materials), including information such as manufacturer, date of receipt, lot numbers, reference numbers, certificates of conformity, shelf life or expiration date, storage location, status of examination, and status of approval for use. Any related specifications for those materials should be able to be linked to the received materials.

21 CFR Part 211.122 (e)
21 CFR Part 211.125 (d)
21 CFR Part 211.184
21 CFR Part 225.42
21 CFR Part 226.42
BRC GSFS, Issue 8, 3.5.3
BRC GSFS, Issue 8, 9.5.3
Codex Alimentarius CXC 1-1969, Ch.1, 7.2.8
GFSI Benchmarking Rqmts., v2020.1, Part 3, B3, C0, C1, C2, C3, C4, D, I, K - GMP 17
WHO Technical Report Series, #986, Annex 2, 14.7 and 14.22
WHO Technical Report Series, #986, Annex 2, 16.35

17.13 The system shall be capable of recording the changing quantity of inventoried non-sample, -standard, and -reagent materials (e.g., formulated drugs, drug components, raw ingredients, labeling, containers, and packaging materials), including batch and lot numbers and, if applicable, details of disposition after completion of production.

21 CFR Part 106.6
21 CFR Part 106.70
21 CFR Part 111.113
21 CFR Part 111.123 (b)
21 CFR Part 114.100 (d)
21 CFR Part 120.10
21 CFR Part 123.6
21 CFR Part 211.122 (e)
21 CFR Part 211.125 (d)
21 CFR Part 211.184
21 CFR Part 225.42
21 CFR Part 226.42
21 CFR Part 606.100 (c)
21 CFR Part 820.80 (d–e)
21 CFR Part 820.90
21 CFR Part 820.160
BRC GSFS, Issue 8, 3.8.1
Codex Alimentarius CXC 1-1969, Ch.1, 7.2.2
E.U. Commission Reg. No. 2073/2005 Article 7
GFSI Benchmarking Rqmts., v2020.1, Part 3, A1, A2, B1, B2, B3, C0, C1, C2, C3, C4, D, I, K - FSM 23
GFSI Benchmarking Rqmts., v2020.1, Part 3, A1, A2, B1, B2, B3, C0, C1, C2, C3, C4, D, I, K - FSM 24.1
IFS Food 7, Part 2, 5.7.1
IFS Food 7, Part 2, 5.10
IFS PACsecure 2, Part 2, 5.7.1
IFS PACsecure 2, Part 2, 5.10
Safe Food for Canadians Regulations SOR/2018-108 Division 5, 82–84
Safe Food for Canadians Regulations SOR/2018-108 Part 5, 90
SQF FSC 9, Food Manufacturing, Part B, 2.4.5
SQF FSC 9, Food Manufacturing, Part B, 2.4.7
SQF FSC 9, Pet Food Manufacturing, Part B, 2.4.5
SQF FSC 9, Pet Food Manufacturing, Part B, 2.4.7
SQF FSC 9, Manufacture of Food Packaging, Part B, 2.4.5
SQF FSC 9, Manufacture of Food Packaging, Part B, 2.4.7
WHO Technical Report Series, #986, Annex 2, 2.1 (g)
WHO Technical Report Series, #986, Annex 2, 14.4, 14.26, and 14.28
WHO Technical Report Series, #986, Annex 2, 15.44–45
WHO Technical Report Series, #986, Annex 2, 16.36
WHO Technical Report Series, #986, Annex 2, 17.18–19

17.14 The system shall prevent the internal release for distribution of a completed production batch until an authorized individual has determined the batch's conformance to final specifications and has approved it for release. If a batch is nonconforming, the system shall be able to clearly document it as such (so as to not distribute it) and provide a review and disposition process. Such approval, rejection, review, and disposition activities shall be documented.

21 CFR Part 7 Subpart C
21 CFR Part 117.139
21 CFR Part 211.192
21 CFR Part 507.38
21 CFR Part 810 Subpart B
BRC GSFS, Issue 8, 3.11.2
Codex Alimentarius CXC 1-1969, Ch.1, 7.5
E.U. Commission Directive 2003/94/EC Article 13
E.U. Commission Reg. No. 2073/2005 Article 7
GFSI Benchmarking Rqmts., v2020.1, Part 3, A1, A2, B1, B2, B3, C0, C1, C2, C3, C4, D, I, K - FSM 22
IFS Food 7, Part 2, 5.9.2
IFS PACsecure 2, Part 2, 5.9.2
ISO/TS 22002-1:2009, 15.x
ISO/TS 22002-4:2013, 4.12
ISO/TS 22002-6:2016, 4.12
Safe Food for Canadians Regulations SOR/2018-108 Division 5, 82–84
SQF FSC 9, Food Manufacturing, Part B, 2.6.3
SQF FSC 9, Pet Food Manufacturing, Part B, 2.6.3
SQF FSC 9, Manufacture of Food Packaging, Part B, 2.6.3
WHO Technical Report Series, #986, Annex 2, 6.0
WHO Technical Report Series, #986, Annex 2, 14.32

17.15 The system shall provide a means to track and record recall activities of manufactured product and devices based on lot, batch, or other identifier, including storage location, necessary disposition details, and reconciliation between distributed and recovered quantities.

21 CFR Part 111.520
21 CFR Part 211.165 (f)
21 CFR Part 211.204
21 CFR Part 212.71 (d)
21 CFR Part 820.90 (b-2)
E.U. Commission Reg. No. 2073/2005 Article 7
SQF FSC 9, Food Manufacturing, Part B, 2.4.6
SQF FSC 9, Pet Food Manufacturing, Part B, 2.4.6
SQF FSC 9, Manufacture of Food Packaging, Part B, 2.4.6
WHO Technical Report Series, #986, Annex 2, 14.29–30

17.16 The system should allow a completed production batch that has been rejected for use or a returned production batch to be flagged in the system for reprocessing or reworking if it meets relevant criteria.

21 CFR Part 112.145
BRC GSFS, Issue 8, 4.11.8.x
E.U. Commission Reg. No. 2073/2005 Article 5
GFSI Benchmarking Rqmts., v2020.1, Part 3, B3, C0, C1, C2, C3, C4, I - FSM 19.2
ISO/TS 22002-1:2009, 11.5
SQF FSC 9, Food Manufacturing, Part B, 2.4.8
SQF FSC 9, Pet Food Manufacturing, Part B, 2.4.8
SQF FSC 9, Manufacture of Food Packaging, Part B, 2.4.8

17.17 The system shall support environmental testing protocols for testing the production environment on a scheduled, reportable basis. That support shall include facility and sampling site management functionality that allows for highlighting specific test points in the facility, as well as support for offsite and randomized testing. The system should also allow associated samples, methods, tests, reports, and other documents to clearly indicate they correspond to specific environmental testing protocols.

18. Statistical trending and control charts

Regulation, Specification, or Guidance Requirement

21 CFR Part 820.250
AIHA-LAP Policies 2018 2A.7.7.1.3
ASTM E1578-18 E-10-1
EPA 815-R-05-004 Chap. IV, Sec. 7.2.8
EPA 815-R-05-004 Chap. VI, Sec. 7.8
E.U. Commission Reg. No. 2073/2005 Article 9
FDA Hazard Analysis Critical Control Point Principle 4
ISO/IEC 17025:2017 7.7.1

18.1 The system should allow authorized users to configure the generation of statistical trending and control charts.

21 CFR Part 820.250
AIHA-LAP Policies 2018 2A.7.7.1.3
ASTM E1578-18 E-10-2
EPA 815-R-05-004 Chap. IV, Sec. 7.2.8
EPA 815-R-05-004 Chap. VI, Sec. 7.8
E.U. Commission Reg. No. 2073/2005 Article 9
FDA Hazard Analysis Critical Control Point Principle 4

18.2 The system should allow authorized users to choose specific sample types, tests, and parameters associated with the statistical trending and control charts that can be generated.

19. Agriculture and food data management

Regulation, Specification, or Guidance Requirement
FDA Office of Regulatory Affairs Data Exchange (ORA DX) Program 19.1 The system should be able to create or convert an XML or XLS file to ORA DX template specifications, including the use of ORA DX terminology.
PFP Human and Animal Food Testing Laboratories Best Practices Manual
USDA Sampling Procedures for PDP 5.3
USDA Sampling Procedures for PDP 6.2
19.2 The system shall allow for the assignment of the "regulatory sample collection" role and be able to produce a list of individuals in said role, including information such as name, locations assigned, part- or full-time role, and full-time equivalents (if any) used to meet any regulatory requirements.
USDA Sampling Procedures for PDP 5.4 19.3 The system shall allow for the documentation of sampling sites used for normal and regulatory sampling and be able to produce a complete list of such sites on-demand. The documentation should allow for details such as the addition of a unique, never-before-used site code; a region code; demographics; date added to or removed from the system; facility type; sample substrates or commodities available at the site; and relative volume information.
USDA Sampling Procedures for PDP 5.4.12 and 5.4.14 19.4 The system shall allow a site that is no longer active for sampling purposes be designated as inactive, yet be allowed to remain on any generated master list. Additionally, such inactive site shall maintain its unique site number in the event the site becomes reinstated as active.

21 CFR Part 117.130–135
21 CFR Part 120 (throughout)
21 CFR Part 123.6
21 CFR Part 507, Subpart C
61 FR 38806, 9 CFR Part 417.x
BRC GSFS, Issue 8, 2.x
Codex Alimentarius CXC 1-1969, Ch.2, 3.x
E.U. Commission Reg. No. 852/2004 Article 5
E.U. Commission Reg. No. 2073/2005 Article 5
GFSI Benchmarking Rqmts., v2020.1, Part 3, A1, A2, B1, B2, B3, C0, C1, C2, C3, C4, D, I, K - HACCP 1.X
IFS Food 7, Part 2, 2.2.x
IFS PACsecure 2, Part 2, 2.2.x
SQF FSC 9, Food Manufacturing, Part B, 2.4.3
SQF FSC 9, Pet Food Manufacturing, Part B, 2.4.3
SQF FSC 9, Manufacture of Food Packaging, Part B, 2.4.3

19.5 The system shall allow for the development and documentation of hazard analysis and critical control points (HACCP) or other regulatory-driven food safety plan steps, as well as the implementation of those CCPs or steps into configurable laboratory workflow.
61 FR 38806, 9 CFR Part 417.4 19.6 The system shall require a new or modified HACCP or other regulatory-driven food safety plan be validated, reviewed, and approved before being implemented, including requiring that plan to be electronically signed by one or more authorized individuals upon approval.

21 CFR Part 106.90
21 CFR Part 106.92
21 CFR Part 106.94
21 CFR Part 106.100 (j)
BRC GSFS, Issue 8, 3.4.x
GFSI Benchmarking Rqmts., v2020.1, Part 3, A1, A2, B1, B2, B3, C0, C1, C2, C3, C4, D, I, K - FSM 20
IFS Food 7, Part 2, 5.1
IFS PACsecure 2, Part 2, 5.1
ISO/IEC 17025:2017 8.8.2
SQF FSC 9, Food Manufacturing, Part B, 2.5.4
SQF FSC 9, Pet Food Manufacturing, Part B, 2.5.4
SQF FSC 9, Manufacture of Food Packaging, Part B, 2.5.4

19.7 The system shall allow for the documentation and management of internal and external audit activities, while allowing samples, methods, tests, results, reports, documents, and more to be clearly associated with that corresponding audit activity.

20. Environmental data management

Regulation, Specification, or Guidance Requirement
EPA Metadata Technical Specification 20.1 The system should support metadata requirements set forth by ISO 19115 and the EPA Metadata Technical Specification for reporting and data publishing purposes.
EPA ERLN Laboratory Requirements 3.3 20.2 The system should support the manual entry or electronic transfer of EPA analytical service requests (ASRs), along with all the required fields of the ASR, including project identifier, project demographics, sample specifics, sample hazards, reporting requirements, and special requirements.
EPA SEDD Specification and Data Element Dictionary v5.2 20.3 The system should support the creation and transfer of Staged Electronic Data Deliverable (SEDD) files.

40 CFR Part 3.10
40 CFR Part 60 (throughout)
40 CFR Part 62 (throughout)
40 CFR Part 63 (throughout)

20.4 The system shall support generating electronic environmental reports (e.g., stationary source emissions tests) in either the EPA's Electronic Reporting Tool (ERT) special spreadsheet format or in an XML file format that complies with EPA-approved XML schema.
DoD General Data Validation Guidelines 20.5 The system should support electronic data deliverable (EDD) validation by linking the EDD to its quality assurance project plan (QAPP) and the appropriate stage of validation for the EDD's data type.

21. Forensic case and data management

Regulation, Specification, or Guidance Requirement

ASCLD/LAB Supp. Reqs. for the Accreditation of Forensic Science Testing Laboratories 5.8.4.3 ASTM E1188-11 3.2.3
ASTM E1188-11 3.4.1
ASTM E1459-13 2.1
ASTM E1459-13 4.1.1–2
ASTM E1459-13 4.1.4.2
ASTM E1459-13 4.2.2–3
ASTM E1492-11 4.1.1
ASTM E1492-11 4.1.5

21.1 The system shall be able to assign each piece of collected evidence and each scene a unique identifier using methodologies such as an ID with an incrementing integer (for sequential evidence numbers) or a user-defined naming format for meeting regulatory requirements.
A2LA C223 4.13
ASCLD/LAB Supp. Reqs. for the Accreditation of Forensic Science Testing Laboratories 4.13.2.6–10
ASTM E1492-11 4.1.1
21.2 The system shall be able to assign each case a unique case identifier that, in addition to an electronic signature, is able to be automatically placed on, at a maximum, each page of the case's associated examination and administration records.

A2LA C223 4.13
ASTM E1492-11 4.1.1.1–2
ASTM E1492-11 4.1.4–5
ASTM E1492-11 4.2.2–3
ASTM E1492-11 4.5.1.1

21.3 In addition to a unique case number, the system shall provide a means to add additional information to a case file, including, but not limited to, submitting agency, agency case number, date of case receipt, name of recipient, shipping and receipt details, items associated with the case and their unique designators, notes, test data, related reports, and other documentation.
ASTM E1188-11 (throughout)
ASTM E1459-13 (throughout)
ASTM E1492-11 4.4.3 and 4.5.1
21.4 The system should be able to document evidence using an ASTM-compliant evidence log, including, but not limited to, unique identifiers, investigator and custodian names, key dates and times, evidence conditions, and storage location.
ASTM E1492-11 4.3.1.1 21.5 The system should be able to prevent a piece of evidence from being scheduled for destructive testing until an appropriate authorization for such analysis is acquired and documented.
ASCLD/LAB Supp. Reqs. for the Accreditation of Forensic Science Testing Laboratories 5.8.1.1.1
ASTM E1492-11 4.1.2
21.6 The system shall be able to record and maintain chain of custody of evidence that is subdivided in the laboratory in the same way that original evidence items are tracked.
CJIS Security Policy 5.1.3 21.7 The system shall be capable of recording the secondary dissemination to an authorized agency or organization of criminal history record information (CHRI) sourced from U.S. Criminal Justice Information Services (CJIS).
CJIS Security Policy 5.4.7 21.8 The system shall be able to record all National Crime Information Center (NCIC) and Interstate Identification Index (III) data transactions, clearly identifying the operator and authorized receiving agency or organization. III records shall also identify requester and recipient using a unique identifier.
CJIS Security Policy 5.5.6
NIST 800-53, Rev. 5, AC-17(1)
21.9 If the system provides remote access to authorized users over authorized devices, the remote access shall be monitored, controlled and documented, particularly for privileged functions. If remote access to privileged functions is allowed, virtual escorting that meets CJIS Security Policy 5.5.6 conditions will be required.
CJIS Security Policy 5.6.2.1.1.1–2
CJIS Security Policy 5.6.2.1.2–3
NIST 800-53, Rev. 5, IA-5(1)
21.10 The system shall be capable of putting into place, in their entirety, either the "basic password standards" or "advanced password standards" described in CJIS Security Policy 5.6.2.1.1.1 and 5.6.2.1.1.2. If PIN and/or one-time password is also used, the attributes in 5.6.2.1.2 and 5.6.2.1.3 shall also be required.
CJIS Security Policy 5.6.2.2 21.11 If the system supports user-based certificates for authentication, the system shall be configurable enough to require them to be 1. user-specific, not device-specific, 2. used only by one user at any given time, and 3. activated for each use by, e.g., a passphrase or PIN.
CJIS Security Policy 5.10.1.2.1–2
CJIS Security Policy Appendix G.6
NIST 800-53, Rev. 5, AC-17(2)
NIST 800-53, Rev. 5, SC-13, SC-28, and SC-28(1)
21.12 The system shall allow "encryption in transit" and "encryption at rest" of criminal justice information (CJI) that meets or exceeds the requirements of CJIS Security Policy 5.10.1.2.1 and 5.10.1.2.2.
CJIS Security Policy 5.10.1.5 21.13 If the system is cloud-based, the vendor shall ensure that CJI is stored in databases located within the physical boundaries of APB-member countries and within the legal authority of APB-member agencies. Additionally, the vendor shall agree to not use any metadata derived from unencrypted CJI for commercial, advertising, or other purposes, unless specifically permitted for limited within the service agreement.
CJIS Security Policy 5.11.1–2 21.14 If the system is cloud-based, the vendor should agree to FBI and CSA compliance and security audits of CJI.
CJIS Security Policy 5.10.3.2
CJIS Security Policy Appendix G.1
21.15 If the system is capable of being run in a virtual environment, it shall meet the virtualization requirements set forth in CJIS Security Policy 5.10.3.2 and best practices set forth in CJIS Security Policy Appendix G.1.
CJIS Security Policy Appendix G.5
NIST 800-53, Rev. 5, AC-6(4)
NIST 800-53, Rev. 5, SC-39
21.16 The system should provide separate processing domains in order to not only allow for more granular allocation of user privileges, but also to prevent one process from modifying the executing code of another process.
NIST 800-53, Rev. 5, IA-2(1–2), IA-2(12), and IA-8(1) 21.17 The system should support the use of personal identity verification—a U.S. Federal government-wide credential system—and other forms of hardware-based (i.e., public key infrastructure or PKI) token authentication, while electronically verifying those credentials and any configured token quality requirements.
A2LA C223 5.4 21.18 The system should support the identification and tagging of infrequently performed forensic tests or analyses in order to alert the analyst and other stakeholders that additional competency verification or method validation is required before performing the test or analysis.
A2LA C223 5.9 21.19 The system should allow case records to be scheduled for periodic administrative and technical review by individuals not connected with the case. The conducted review should indicate details such as who conducted the review, what the results were, and when the review was completed. If non-conforming results were discovered, records of determination and resolution should be appended to the case record.
A2LA C223 5.9 21.20 The system should be able to document examiner testimony and allow such testimony to be scheduled for periodic evaluation. The conducted evaluation should indicate details such as who conducted the evaluation, what the results were, and when the review was completed. If non-conforming results were discovered, related records of determination and resolution should be maintained in the system.

22. Public health data management

Regulation, Specification, or Guidance Requirement
CDC PHIN Messaging System 22.1 The system should be capable of interfacing with the Centers for Disease Control and Prevention's (CDC's) PHIN Messaging System.
ACMG Technical Standards for Clinical Genetics Laboratories G1.5
22.2 The system should support Human Genome Variation Society (HGVS) nomenclature and terminology for sequence variants.
CLSI QMS22 2.1.2.3 22.3 The system should be able to collect sufficient test utilization information to make necessity checks on ordered tests against established benchmarks.
ONC USCDI v2 22.4 The system should support the United States Core Data for Interoperability (USCDI) v2 standard, which in turn supports data interoperability across multiple clinical settings.
CDC Immunization Information System (IIS) Functional Standards, v4.1, 8.1–8.3 22.5 The system should support Simple Object Access Protocol (SOAP), Web Services Definition Language (WSDL), Health Level 7 (HL7), and other data transport and exchange solutions endorsed by the CDC, which in turn supports data interoperability across multiple clinical settings and health information systems, including immunization information systems (IISs), electronic health records (EHRs), and laboratory information systems (LISs).
45 CFR Part 171 22.6 The system should be developed without any information blocking practices—practices likely to interfere with the access, exchange, or use of electronic health information—knowingly implemented into the system.

23. Veterinary data management

Regulation, Specification, or Guidance Requirement
NAHLN Information Technology System
VeNom Coding Group
Veterinary Terminology Services Laboratory
23.1 The system should support standardized veterinary clinical terminology such as that found in the Veterinary Extension of SNOMED CT and the Veterinary Nomenclature (VeNom) Codes.
ICAR 15 Data Exchange
VICH GL53
23.2 The system should be able to exchange data, when necessary, in a fashion that meets International Committee for Animal Recording (ICAR) and Veterinary International Conference on Harmonization (VICH) electronic data exchange guidelines.
NAHLN HL7 Messaging Quick User Guide 23.3 The system should support National Animal Health Laboratory Network (NAHLN), and, by extension, Health Level 7 (HL7) result messaging.

24. Scientific data management

Regulation, Specification, or Guidance Requirement

ASTM E1578-18 E-11-1
EPA ERLN Laboratory Requirements 4.3.4.1
EPA ERLN Laboratory Requirements 4.8.9
EPA ERLN Laboratory Requirements 4.9.9

24.1 The system shall capture raw instrument data and metadata either as an electronic file or directly via RS-232 or TCP/IP communication.
ASTM E1578-18 E-11-2 24.2 The scientific data management system (SDMS) should provide a checksum verification of source and destination data and store that verification data in a secure server with controlled access.

ASTM E1578-18 E-11-1
EPA ERLN Laboratory Requirements 4.3.4.1
EPA ERLN Laboratory Requirements 4.8.9
EPA ERLN Laboratory Requirements 4.9.9

24.3 The system shall store metadata related to raw instrument data in a database in such a way that the original data generated by instruments for specific samples and tests is easy to retrieve.
ASTM E1578-18 E-11-4 24.4 The system should be capable of capturing a complete and readable copy of original data and any previous versions of modified data in order to maintain the integrity of that data.

AAVLD AAVLD Requirements for an AVMDL Sec. 4.10.2.3
ASTM E1578-18 E-11-5
EPA ERLN Laboratory Requirements 4.3.4.1
EPA ERLN Laboratory Requirements 4.8.9
EPA ERLN Laboratory Requirements 4.9.9

24.5 The system should secure raw data such that it can't be deleted and provide version control when data is modified by any user or specific software.
ASTM E1578-18 E-11-6 24.6 The SDMS should provide tools for helping a laboratory achieve the U.S. Food and Drug Administration's defined ALCOA principles.
ASTM E1578-18 E-11-7 24.7 The SDMS shall provide security and access controls for protecting stored data.
ASTM E1578-18 E-11-8 24.8 The SDMS shall record an audit trail for each and every record created and modified, using version control.
45 CFR Part 164.308
ASTM E1578-18 E-11-9
24.9 The SDMS shall provide proper systems for backing up, restoring, and archiving data for long-term use.

25. Health information technology

Regulation, Specification, or Guidance Requirement
45 CFR Part 170.315 (a-1–a-4) 25.1 The electronic health record (EHR) module should provide computerized provider order entry (CPOE) functionality for medication orders, laboratory orders, and diagnostic imaging, including making checks for potential drug-drug and drug-allergy interactions.
45 CFR Part 170.315 (a-5)
45 CFR Part 170.315 (a-11–a-12)
45 CFR Part 170.315 (a-15)
25.2 The EHR module should allow authorized personnel to record, change, and access patient demographic data, including, but not limited to, race and ethnicity, patient's preferred language, birth sex, current sex, sexual orientation, gender identity, birth date, smoking status, alcohol use, family health history, psychological aspects, social aspects, and behavioral aspects.
45 CFR Part 170.315 (a-6–a-8)
45 CFR Part 170.315 (a-10)
45 CFR Part 170.315 (a-14)
25.3 The EHR module should allow authorized personnel to record, change, and access a patient's active problem list, medication list, medication allergy list, preferred drug list, and implantable device list, incorporating, where appropriate, at a minimum the SNOMED CT nomenclature standard.
45 CFR Part 170.315 (a-19) 25.4 The EHR module should incorporate configurable, role-based clinical decision support tools capable of allowing authorized personnel to trigger electronic interventions based on liked reference information standardized to Health Level 7 (HL7) Version 3 implementation guides. The reference information should be sourced.
45 CFR Part 170.315 (a-13) 25.5 The EHR module should be able to identify education resources specific to a patient's active problem and medication lists. The educational resources should be standardized to Health Level 7 (HL7) Version 3 implementation guides.
45 CFR Part 170.315 (b-1–b-2; b-4–b-5) 25.6 The EHR module should allow authorized personnel to create, view, send, and receive transition of care or referral summaries in such a way that the summary is properly formatted, matched to the correct patient, and reconciled according to the standards and protocols outlined in 45 CFR Part 170.315 (b-1), (b-2), (b-4), and (b-5).
45 CFR Part 170.315 (b-3) 25.7 The EHR module should allow authorized personnel to conduct electronic prescribing actions such as creating, changing, cancelling, and refilling prescriptions, incorporating at least the RxNorm and NCPDP SCRIPT standards.
45 CFR Part 170.315 (b-6) 25.8 The EHR module should allow authorized personnel to configure, create, and store data exports, incorporating at least HL7 Version 3 implementation standards, as well as SNOMED CT and ICD-9 standards.
45 CFR Part 170.315 (b-7–b-8) 25.9 The EHR module should allow for the secure creation, sending, and receipt of restricted summary records, incorporating HL7 Version 3 implementation standards.
45 CFR Part 170.315 (b-9) 25.10 The EHR module should allow authorized personnel to create, record, change, access, and receive care plan information, incorporating HL7 Version 3 implementation standards.
45 CFR Part 170.315 (c) 25.11 The EHR module should provide a means to record, calculate, import, export, filter, and report on clinical quality measures according to the standards outlined in 45 CFR Part 170.315 (c).
45 CFR Part 170.315 (d) 25.12 The EHR module shall provide security and access controls for protecting stored data.
45 CFR Part 170.315 (d) 25.13 The EHR module shall record an audit trail for each and every record created and modified, using version control.
45 CFR Part 170.315 (d-7) 25.14 The EHR module shall either encrypt electronic health information on end-user devices after use of the technology on the device stops or prevent electronic health information from being stored on end-user devices after use of the technology on the device stops.
45 CFR Part 170.315 (d-8) 25.15 The EHR module shall ensure that electronically exchanged health information has not been altered during the transfer process, using at least a hashing algorithm secured to SHA-2 or better.
45 CFR Part 170.315 (d-11) 25.16 The EHR module should be capable of recording patient disclosures made for treatment, payment, and health care operations.
45 CFR Part 170.315 (e-1) 25.17 The EHR module should provide a means for patients and their authorized representatives to view, download, and transmit their personal health information and activity history log from the EHR via an internet-based technology, using the standards outlined in 45 CFR Part 170.315 (e-1).
45 CFR Part 170.315 (e-2–e-3) 25.18 The EHR module should provide a means for authorized users to securely send messages to and receive messages from patients, at the same time allowing for the recording, accessing, and linking of information shared by the patient electronically (as well as directly).
45 CFR Part 170.315 (f) 25.19 The EHR module should allow vital patient information as it relates to public health to be transmitted to immunization registries, cancer registries, and public health agencies, as well as be accessed after the fact. This includes, but is not limited to, immunization history, surveillance information, laboratory test results, cancer case information, case reports, antimicrobial reporting, and health care survey information.
45 CFR Part 170.315 (g-3–g-5) 25.20 The EHR developer should use user-centered and accessibility-centered design processes for creating and testing the EHR's functionality. A quality management system should be used during these processes.
45 CFR Part 170.315 (g-6) 25.21 The EHR module's use of clinical document architecture (CDA) should be demonstrated and verified for conformance to the standards identified in 45 CFR Part 170.315 (g-6).
45 CFR Part 170.315 (g-7–g-9) 25.22 The EHR module should include an application programming interface (API) that demonstrates the EHR's ability to uniquely identify a patient and corresponding ID/token in a received records or data category request in order to accurately and securely meet the request for that patient's data. The API should be well documented.

26. Health information technology

Regulation, Specification, or Guidance Requirement
45 CFR Part 170.315 (a-1–a-4) 25.1 The electronic health record (EHR) module should provide computerized provider order entry (CPOE) functionality for medication orders, laboratory orders, and diagnostic imaging, including making checks for potential drug-drug and drug-allergy interactions.
45 CFR Part 170.315 (a-5)
45 CFR Part 170.315 (a-11–a-12)
45 CFR Part 170.315 (a-15)
25.2 The EHR module should allow authorized personnel to record, change, and access patient demographic data, including, but not limited to, race and ethnicity, patient's preferred language, birth sex, current sex, sexual orientation, gender identity, birth date, smoking status, alcohol use, family health history, psychological aspects, social aspects, and behavioral aspects.
45 CFR Part 170.315 (a-6–a-8)
45 CFR Part 170.315 (a-10)
45 CFR Part 170.315 (a-14)
25.3 The EHR module should allow authorized personnel to record, change, and access a patient's active problem list, medication list, medication allergy list, preferred drug list, and implantable device list, incorporating, where appropriate, at a minimum the SNOMED CT nomenclature standard.
45 CFR Part 170.315 (a-19) 25.4 The EHR module should incorporate configurable, role-based clinical decision support tools capable of allowing authorized personnel to trigger electronic interventions based on liked reference information standardized to Health Level 7 (HL7) Version 3 implementation guides. The reference information should be sourced.
45 CFR Part 170.315 (a-13) 25.5 The EHR module should be able to identify education resources specific to a patient's active problem and medication lists. The educational resources should be standardized to Health Level 7 (HL7) Version 3 implementation guides.
45 CFR Part 170.315 (b-1–b-2; b-4–b-5) 25.6 The EHR module should allow authorized personnel to create, view, send, and receive transition of care or referral summaries in such a way that the summary is properly formatted, matched to the correct patient, and reconciled according to the standards and protocols outlined in 45 CFR Part 170.315 (b-1), (b-2), (b-4), and (b-5).
45 CFR Part 170.315 (b-3) 25.7 The EHR module should allow authorized personnel to conduct electronic prescribing actions such as creating, changing, cancelling, and refilling prescriptions, incorporating at least the RxNorm and NCPDP SCRIPT standards.
45 CFR Part 170.315 (b-6) 25.8 The EHR module should allow authorized personnel to configure, create, and store data exports, incorporating at least HL7 Version 3 implementation standards, as well as SNOMED CT and ICD-9 standards.
45 CFR Part 170.315 (b-7–b-8) 25.9 The EHR module should allow for the secure creation, sending, and receipt of restricted summary records, incorporating HL7 Version 3 implementation standards.
45 CFR Part 170.315 (b-9) 25.10 The EHR module should allow authorized personnel to create, record, change, access, and receive care plan information, incorporating HL7 Version 3 implementation standards.
45 CFR Part 170.315 (c) 25.11 The EHR module should provide a means to record, calculate, import, export, filter, and report on clinical quality measures according to the standards outlined in 45 CFR Part 170.315 (c).
45 CFR Part 170.315 (d) 25.12 The EHR module shall provide security and access controls for protecting stored data.
45 CFR Part 170.315 (d) 25.13 The EHR module shall record an audit trail for each and every record created and modified, using version control.
45 CFR Part 170.315 (d-7) 25.14 The EHR module shall either encrypt electronic health information on end-user devices after use of the technology on the device stops or prevent electronic health information from being stored on end-user devices after use of the technology on the device stops.
45 CFR Part 170.315 (d-8) 25.15 The EHR module shall ensure that electronically exchanged health information has not been altered during the transfer process, using at least a hashing algorithm secured to SHA-2 or better.
45 CFR Part 170.315 (d-11) 25.16 The EHR module should be capable of recording patient disclosures made for treatment, payment, and health care operations.
45 CFR Part 170.315 (e-1) 25.17 The EHR module should provide a means for patients and their authorized representatives to view, download, and transmit their personal health information and activity history log from the EHR via an internet-based technology, using the standards outlined in 45 CFR Part 170.315 (e-1).
45 CFR Part 170.315 (e-2–e-3) 25.18 The EHR module should provide a means for authorized users to securely send messages to and receive messages from patients, at the same time allowing for the recording, accessing, and linking of information shared by the patient electronically (as well as directly).
45 CFR Part 170.315 (f) 25.19 The EHR module should allow vital patient information as it relates to public health to be transmitted to immunization registries, cancer registries, and public health agencies, as well as be accessed after the fact. This includes, but is not limited to, immunization history, surveillance information, laboratory test results, cancer case information, case reports, antimicrobial reporting, and health care survey information.
45 CFR Part 170.315 (g-3–g-5) 25.20 The EHR developer should use user-centered and accessibility-centered design processes for creating and testing the EHR's functionality. A quality management system should be used during these processes.
45 CFR Part 170.315 (g-6) 25.21 The EHR module's use of clinical document architecture (CDA) should be demonstrated and verified for conformance to the standards identified in 45 CFR Part 170.315 (g-6).
45 CFR Part 170.315 (g-7–g-9) 25.22 The EHR module should include an application programming interface (API) that demonstrates the EHR's ability to uniquely identify a patient and corresponding ID/token in a received records or data category request in order to accurately and securely meet the request for that patient's data. The API should be well documented.