Difference between revisions of "User:Shawndouglas/sandbox/sublevel9"

From LIMSWiki
Jump to navigationJump to search
Line 17: Line 17:


====3.1.3 Cybersecurity considerations====
====3.1.3 Cybersecurity considerations====
From law firms<ref name="SobowaleLaw17">{{cite web |url=http://www.abajournal.com/magazine/article/managing_cybersecurity_risk/ |title=Law firms must manage cybersecurity risks |author=Sobowale, J. |work=ABA Journal |publisher=American Bar Association |date=01 March 2017 |accessdate=06 December 2022}}</ref> to automotive manufacturers<ref name="WatneyAddress17">{{cite web |url=https://www.rstreet.org/wp-content/uploads/2018/04/118-1.pdf |format=PDF |title=Addressing new challenges in automotive cybersecurity |author=Watney, C.; Draffin, C. |work=R Street Policy Study No. 118 |publisher=R Street Institute |date=November 2017 |accessdate=06 December 2022}}</ref>, the need to address cybersecurity is increasingly apparent. In 2018, the Center for Strategic & International Studies estimated that cybercrime causes close to $600 billion in damages to the global economy every year<ref name="LewisEcon18">{{cite web |url=https://www.csis.org/analysis/economic-impact-cybercrime |title=Economic Impact of Cybercrime |author=Lewis, J.A. |publisher=Center for Strategic & International Studies |date=21 February 2018 |accessdate=06 December 2022}}</ref>, though due to underreporting of crimes, that number may be much higher. That number also likely doesn't take into account lost business, fines, litigation, and intangible losses<ref name="SBDCC_BlogCost17">{{cite web |url=https://www.virginiasbdc.org/blog-cost-of-cyber-crime-to-small-businesses/ |archiveurl=https://web.archive.org/web/20200705061737/https://www.virginiasbdc.org/blog-cost-of-cyber-crime-to-small-businesses/ |title=BLOG: Cost of Cyber Crime to Small Businesses |work=Virginia SBDC Blog |publisher=Virginia SBDC |date=30 May 2017 |archivedate=05 July 2020 |accessdate=06 December 2022}}</ref> In the end, businesses of all sizes average about $200,000 in losses due to a cybersecurity incident<ref name="HiscoxHiscox19&quot;">{{cite web |url=https://www.hiscox.com/documents/2019-Hiscox-Cyber-Readiness-Report.pdf |format=PDF |title=Hiscox Cyber Readiness Report 2019 |publisher=Hiscox Ltd |date=April 2019 |accessdate=06 December 2022}}</ref>, and nearly 60 percent of small and midsize businesses go bankrupt within six months because of it.<ref name="Galvin60_18">{{cite web |url=https://www.inc.com/joe-galvin/60-percent-of-small-businesses-fold-within-6-months-of-a-cyber-attack-heres-how-to-protect-yourself.html |title=60 Percent of Small Businesses Fold Within 6 Months of a Cyber Attack. Here's How to Protect Yourself |author=Galvin, J. |work=Inc.com |date=07 May 2018 |accessdate=06 December 2022}}</ref>


Food and beverage laboratories are no exception, regardless of business size. Even tiny labs whose primary digital footprint is a WordPress website advertising their lab are at risk, as hackers could still spread malware, steal user data, add the website to a bot network, hack the site for the learning experience, or even hack it just for fun.<ref name="GrimaTop19">{{cite web |url=https://www.wpwhitesecurity.com/why-malicious-hacker-target-wordpress/ |title=Top reasons why WordPress websites get hacked (and how you can stop it) |author=Grima, M. |publisher=WP White Security |date=15 June 2022 |accessdate=06 December 2022}}</ref><ref name="MoenWhatHack16">{{cite web |url=https://www.wordfence.com/blog/2016/04/hackers-compromised-wordpress-sites/ |title=What Hackers Do With Compromised WordPress Sites |author=Moen, D. |work=Wordfence Blog |publisher=Defiant, Inc |date=19 April 2016 |accessdate=06 December 2022}}</ref><ref name="TalalevWebsite19">{{cite web |url=https://patchstack.com/articles/website-hacking-statistics/ |title=Website Hacking Statistics You Should Know in 2022 |author=Talaleve, A. |publisher=Patchstack |date=22 February 2022 |accessdate=06 December 2022}}</ref> Even more importantly are those labs performing digital data management tasks that handle sensitive proprietary manufacturer data, requiring additional cybersecurity considerations.
A food and beverage manufacturer and its associated laboratories can integrate cybersecurity thinking into its laboratory informatics product selection in several ways. First, the organization should have a cybersecurity plan in place, or if not, it should be on the radar. This is a good resource to tap into in regards to deciding what cybersecurity considerations should be made for the software. Can the software help your organization meet your cybersecurity goals? What regulatory requirements for your lab are or are not covered by the software?<ref name="DouglasComp20" /> Another tool to consider—which may have been used in any prior cybersecurity planning efforts—is a cybersecurity framework. Many, but not all, cybersecurity frameworks include a catalog of security controls. Each control is "a safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements."<ref name="NISTSecurity19">{{cite web |url=https://csrc.nist.gov/glossary/term/security_control |title=security control |work=Computer Security Resource Center |publisher=National Institute of Standards and Technology |date=2019 |accessdate=06 December 2022}}</ref> These controls give the implementing organization a concrete set of configurable goals to apply to their overall cybersecurity strategy. Other frameworks may be less oriented to security controls and more program-based or risk-based. Choosing the best frameworks will likely depend on multiple factors, including the organization's industry type, the amount of technical expertise within the organization, the budget, the organizational goals, the amount of buy-in from key organizational stakeholders, and those stakeholders' preferred approach.<ref name="DouglasComp20" />
Finally, having an organizational cybersecurity plan that incorporates one or more cybersecurity frameworks gives the laboratory ample opportunity to apply stated goals and chosen security controls to the evaluation and selection process for its informatics software. In particular, a user requirements specification (URS) that incorporates cybersecurity considerations will certainly help a laboratory with meeting regulatory requirements while also protecting its data systems. A USR that is pre-built with cybersecurity controls in mind—such as [[Book:LIMSpec 2022 R2|LIMSpec]], discussed later—makes the evaluation process even easier.


====3.1.4 Regulatory compliance considerations====
====3.1.4 Regulatory compliance considerations====
Without a doubt, it's vital that food and beverage laboratories operate within the bounds of a regulatory atmosphere, not only to better ensure the best consumer satisfaction outcomes but also to ensure the quality of test results, the safety of end users, and the promise of maintaining traceability across the utilized food chain. Maintaining regulatory compliance requires deliberate approaches to developing and enforcing processes and procedures, quality training, consistent communication, and knowledgeable personnel. It also requires a top-down appreciation and commitment to a culture of quality. From ISO/TS 22002-1:2009 ''Prerequisite programmes on food safety — Part 1: Food manufacturing'' and Codex Alimentarius CXS 234-1999 ''Recommended Methods of Analysis and Sampling'' to 21 CFR Part 120 (concerning hazard analysis and critical control point [HACCP] systems) and Safe Food for Canadians Regulations SOR/2018-108, laboratories have much to consider in regards to what standards and regulations impact them.
That said, consider approaching the question of regulatory compliance from the standpoint of adopting standards. Consider first that the risks and consequences of performing a task poorly drives regulation and, more preferably<ref name="CiocoiuTheRole10">{{cite book |chapter=Chapter 1. The Role of Standardization in Improving the Effectiveness of Integrated Risk Management |title=Advances in Risk Management |author=Ciocoui, C.N.; Dobrea, R.C. |editor=Nota, G. |publisher=IntechOpen |year=2010 |isbn=9789535159469 |doi=10.5772/9893}}</ref><ref name="JPMorganData18">{{cite web |url=https://www.jpmorganchase.com/content/dam/jpmc/jpmorgan-chase-and-co/documents/call-to-action.pdf |format=PDF |title=Data Standardization: A Call to Action |publisher=JPMorgan Chase & Co |date=May 2018 |accessdate=06 December 2022}}</ref>, standardization, which in turn moves the "goalposts" of quality and security among organizations. In the case of regulations, those organization that get caught not conforming to the necessary regulations tend to suffer negative consequences, providing some incentive for them to improve organizational processes and procedures.


One of the downsides of regulations is that they can at times be "imprecise" or "disconnected"<ref name="JPMorganData18" /> from what actually occurs within the organization and its information systems. Rather than focusing heavily on regulatory conformance, well-designed standards may, when adopted, provide a clearer path of opportunity for organizations to improve their operational culture and outcomes, particularly since standards are usually developed with a broader consensus of interested individuals with expertise in a given field.<ref name="CiocoiuTheRole10" /> In turn, the organizations that adopt well-designed standards likely have a better chance of conforming to the regulations they must, and they'll likely have more interest in maintaining and improving the goalposts of quality and security in the lab.
Additionally, reputable software developers of laboratory informatics software will not only adopt their own industry standards for software development but also understand the standards and regulations that affect food and beverage laboratories. In turn, the developed software should meet regulations and standards, help the laboratory comply with its regulations and standards, and be of reliably good quality.
If you're a potential buyer of a laboratory informatics solution, it may be that you know a bit about your laboratory's workflow and a few of the regulations and standards that influence how that workflow is conducted, but you're not entirely informed about all the regulations and standards that affect your lab. Turning to a URS such as LIMSpec—which was developed around laboratory regulations and standards—and reviewing the various statements contained within may be necessary to help further inform you. Additionally, as you investigate various informatics options, you can then use the requirements in the URS as a base for your laboratory's own requirements list. Using the categories and their subdivisions, you can then add those requirements that are unique to your laboratory and industry that are not sufficiently covered by the base URS. As you review the various options available to you and narrow down your search, your own list of requirements can be used as both as a personal checklist and as a requirements list you hand over to the vendor you query. And since your URS is based off the standards and regulations affecting your lab, you can feel more confident in your acquisition and its integration into your laboratory workflow.


====3.1.5 System flexibility====
====3.1.5 System flexibility====
Before selecting a solution, your laboratory should also have internal discussions about how diversified its offered services are, as well as what the future may bring to the lab. If, for example, your lab is currently configured for food authenticity and adulteration testing, does your existing laboratory informatics system—or the ones you may be considering—have the flexibility to add other types of food and beverage testing, protocols, and workflows? Will you be doing the footwork to add them, or will the vendor of your system support you in that effort? If you're a start-up, will your lab be focusing solely on a specific type of food testing and expand into other types of analytical work later, or will your test menu need to be much broader right from the start? In most of these cases, you'll desire a LIMS that is flexible enough to allow for not only running the specific tests you need now, but also sufficiently expandable for any future testing services your lab may conduct in the mid- and long-term. Having the ability to create and customize [[Sample (material)|sample]] registration screens, test protocols, labels, reports, specification limit sets, measurement units, and substrates/matrices while being able to interface with practically most any instrument and software system required will go a long way towards making your expanding test menu and workflows integrates as smoothly as possible.


Such a system will typically be marketed as being highly user-configurable, giving labs a relatively painless means to adapt to rapid changes in test volume and type over time. However, once you've internally addressed current and anticipated future growth, your lab will want to learn what explicitly makes any given vendor's system user-configurable. How easy is it to configure the system to new tests? Add custom reports? What knowledge or skills will be required of your lab in order to make the necessary changes, i.e., will your staff require programming skills, or are the administrator and advanced user functions robust enough to make changes without hard-coding? These and other such questions should be fully addressed by the vendor in order to set your mind at ease towards a system's stated flexibility. Ultimately, you want the system to be flexible enough to change with the laboratory—and industry—itself, while minimizing overall costs and reducing the time required to make any necessary modifications.


====3.1.6 Cost considerations====
====3.1.6 Cost considerations====
First, you'll want to be clear on what will be included in the sales agreement. Whether through an estimate or statement of work (SOW), it is important it includes exactly what is expected, being as specific as possible, since this will be the entire contractual obligation for both you the buyer and them the vendor. Note that line items may differ slightly from system to system, according to what features and functions are included by default with each vendor's solution and which, if any, are additional. Also keep in mind that any hourly amount in the the estimate or SOW is usually a best estimate; however, if sufficient attention to detailed requirements has been given, then it should be quite accurate, and in fact the final cost may even be below the quoted cost if you prioritize your own obligations so that the vendor's hours are used sparingly and efficiently.
The estimate or SOW should optimally include:
*licensing or subscription rates;
*required core items to meet federal, state, and local regulations;
*additional optional items and totals; and
*required services (implementation, maintenance and support, optional add-ons).
There are two primary ways to price a laboratory informatics solution: a one-time license fee or a subscription rate ([[Cloud computing|cloud-hosted]] [[software as a service]] [SaaS]). If you have your own dedicated IT department and staff, you may prefer the former (although many system administrators are just as happy to let it be hosted elsewhere rather than add to their workload). Otherwise, a SaaS subscription may well be the better and more cost-effective way to go (since the primary IT cost is simply internet access). This item will be part of your up-front cost and, in the case of subscription, it will also figure into your first year and ongoing costs; otherwise only associated maintenance, support, and warranty (MSW) will figure in. Typically, your first year's subscription costs will be due at signing. More often, the vendor may require three months or even the first year up front, so be prepared to factor that into up-front costs. However, it still is almost always less expensive at the outset (and over time, if you factor in IT costs and annual MSW) than paying for a license fee.
In addition to the two types of software pricing, there are also sub-types. Generally these are based on the number of users (or, in some cases, "nodes," which are simply any entities that access the informatics system, including other systems, instruments, etc.). How these are counted can vary.
*Named users: This method bases pricing on the actual individual users of the system, even if they only log in sporadically. Users may not use each other's logins (this is a no-no regardless of pricing structure, for good laboratory practice and other regulatory reasons).
*Concurrent users: This bases pricing on the maximum number of users who will be logged in at any given time. You can define an unlimited number of named users in the system, each with their own login credentials. However, only the number of concurrent users specified in the license or subscription may be logged in at any one time. For example, you may have 10 staff, but due to work processes, shifts, etc., only up to six might ever be logged in simultaneously. Whereas this would require a named user license for 10, it would only require a concurrent user license for six.
*Unlimited users: In the case of very large labs (typically 30 to 50 and up), the license or subscription may simply be a flat fee that allows any number of users.
The line items in the estimate or SOW should reflect these nuances, as well as whether the listed costs are monthly or annual (for subscription services), hourly (typically for support and training), or a fixed one-time cost. Additionally, be cautious with fixed costs, as they typically represent one of two possible scenarios:
#Final fixed cost: In this case, the cost has been figured by the vendor so as to cover their worst-case hourly labor total. If a line item (e.g., an interface) is not "worst case," then you are overpaying.
#"Expandable" fixed cost: This is as bad as final fixed cost, and maybe even worse because it's almost a case of "bait-and-switch," popping up as a surprise. The initial "fixed cost" number is low, and additional hourly services are needed to actually deliver the item. This will have been provided for somewhere in the small print.
The bottom line is that everything in a laboratory informatics solution is really either licensing or hourly services. Just be careful if they are portrayed as anything else.
It is important to be clear which category each line item falls under when figuring costs: up-front (due upon signing), annual, or ongoing (e.g., SaaS subscription). It is useful to clearly lay out each and compute initial costs, as well as first-year and subsequent years' costings. For example, your initial obligation may be as little as your first year's subscription plus the first 40 hours of services. Different vendors have different policies, however, and you may be required to pay for your first full year's subscription and all services, or some other combination. Normally, though, any instrument interface or other service charges aren't due until the they are implemented, which may be a few weeks or even a month down the road. This may depend on your budget, complexity of the SOW, and urgency. Your first year's expenses will include everything, including initial license fees; all setup and training; any interfaces and additional configurations or customization; and first annual MSW. (If this isn't included in the SaaS subscription, then it usually commences on full system delivery). Afterwards, your subscription and MSW will be the only ongoing expenses (included as one in this example), unless you choose to have additional interfaces or other services performed at any time.




Revision as of 23:24, 6 December 2022

3. Choosing laboratory informatics software for your food and beverage lab

Source: LII:Laboratory Informatics Buyer's Guide for Medical Diagnostics and Research/Choosing laboratory informatics software for your lab

3.1 Evaluation and selection

3.1.1 Technology considerations

Source: LIMS FAQ:What are the key elements of a LIMS for food and beverage testing?

3.1.1.1 Laboratory informatics options


3.1.2 Features and functions

Source: LIMS FAQ:What are the key elements of a LIMS for food and beverage testing?

3.1.3 Cybersecurity considerations

From law firms[1] to automotive manufacturers[2], the need to address cybersecurity is increasingly apparent. In 2018, the Center for Strategic & International Studies estimated that cybercrime causes close to $600 billion in damages to the global economy every year[3], though due to underreporting of crimes, that number may be much higher. That number also likely doesn't take into account lost business, fines, litigation, and intangible losses[4] In the end, businesses of all sizes average about $200,000 in losses due to a cybersecurity incident[5], and nearly 60 percent of small and midsize businesses go bankrupt within six months because of it.[6]

Food and beverage laboratories are no exception, regardless of business size. Even tiny labs whose primary digital footprint is a WordPress website advertising their lab are at risk, as hackers could still spread malware, steal user data, add the website to a bot network, hack the site for the learning experience, or even hack it just for fun.[7][8][9] Even more importantly are those labs performing digital data management tasks that handle sensitive proprietary manufacturer data, requiring additional cybersecurity considerations.

A food and beverage manufacturer and its associated laboratories can integrate cybersecurity thinking into its laboratory informatics product selection in several ways. First, the organization should have a cybersecurity plan in place, or if not, it should be on the radar. This is a good resource to tap into in regards to deciding what cybersecurity considerations should be made for the software. Can the software help your organization meet your cybersecurity goals? What regulatory requirements for your lab are or are not covered by the software?[10] Another tool to consider—which may have been used in any prior cybersecurity planning efforts—is a cybersecurity framework. Many, but not all, cybersecurity frameworks include a catalog of security controls. Each control is "a safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements."[11] These controls give the implementing organization a concrete set of configurable goals to apply to their overall cybersecurity strategy. Other frameworks may be less oriented to security controls and more program-based or risk-based. Choosing the best frameworks will likely depend on multiple factors, including the organization's industry type, the amount of technical expertise within the organization, the budget, the organizational goals, the amount of buy-in from key organizational stakeholders, and those stakeholders' preferred approach.[10]

Finally, having an organizational cybersecurity plan that incorporates one or more cybersecurity frameworks gives the laboratory ample opportunity to apply stated goals and chosen security controls to the evaluation and selection process for its informatics software. In particular, a user requirements specification (URS) that incorporates cybersecurity considerations will certainly help a laboratory with meeting regulatory requirements while also protecting its data systems. A USR that is pre-built with cybersecurity controls in mind—such as LIMSpec, discussed later—makes the evaluation process even easier.

3.1.4 Regulatory compliance considerations

Without a doubt, it's vital that food and beverage laboratories operate within the bounds of a regulatory atmosphere, not only to better ensure the best consumer satisfaction outcomes but also to ensure the quality of test results, the safety of end users, and the promise of maintaining traceability across the utilized food chain. Maintaining regulatory compliance requires deliberate approaches to developing and enforcing processes and procedures, quality training, consistent communication, and knowledgeable personnel. It also requires a top-down appreciation and commitment to a culture of quality. From ISO/TS 22002-1:2009 Prerequisite programmes on food safety — Part 1: Food manufacturing and Codex Alimentarius CXS 234-1999 Recommended Methods of Analysis and Sampling to 21 CFR Part 120 (concerning hazard analysis and critical control point [HACCP] systems) and Safe Food for Canadians Regulations SOR/2018-108, laboratories have much to consider in regards to what standards and regulations impact them.

That said, consider approaching the question of regulatory compliance from the standpoint of adopting standards. Consider first that the risks and consequences of performing a task poorly drives regulation and, more preferably[12][13], standardization, which in turn moves the "goalposts" of quality and security among organizations. In the case of regulations, those organization that get caught not conforming to the necessary regulations tend to suffer negative consequences, providing some incentive for them to improve organizational processes and procedures.

One of the downsides of regulations is that they can at times be "imprecise" or "disconnected"[13] from what actually occurs within the organization and its information systems. Rather than focusing heavily on regulatory conformance, well-designed standards may, when adopted, provide a clearer path of opportunity for organizations to improve their operational culture and outcomes, particularly since standards are usually developed with a broader consensus of interested individuals with expertise in a given field.[12] In turn, the organizations that adopt well-designed standards likely have a better chance of conforming to the regulations they must, and they'll likely have more interest in maintaining and improving the goalposts of quality and security in the lab.

Additionally, reputable software developers of laboratory informatics software will not only adopt their own industry standards for software development but also understand the standards and regulations that affect food and beverage laboratories. In turn, the developed software should meet regulations and standards, help the laboratory comply with its regulations and standards, and be of reliably good quality.

If you're a potential buyer of a laboratory informatics solution, it may be that you know a bit about your laboratory's workflow and a few of the regulations and standards that influence how that workflow is conducted, but you're not entirely informed about all the regulations and standards that affect your lab. Turning to a URS such as LIMSpec—which was developed around laboratory regulations and standards—and reviewing the various statements contained within may be necessary to help further inform you. Additionally, as you investigate various informatics options, you can then use the requirements in the URS as a base for your laboratory's own requirements list. Using the categories and their subdivisions, you can then add those requirements that are unique to your laboratory and industry that are not sufficiently covered by the base URS. As you review the various options available to you and narrow down your search, your own list of requirements can be used as both as a personal checklist and as a requirements list you hand over to the vendor you query. And since your URS is based off the standards and regulations affecting your lab, you can feel more confident in your acquisition and its integration into your laboratory workflow.

3.1.5 System flexibility

Before selecting a solution, your laboratory should also have internal discussions about how diversified its offered services are, as well as what the future may bring to the lab. If, for example, your lab is currently configured for food authenticity and adulteration testing, does your existing laboratory informatics system—or the ones you may be considering—have the flexibility to add other types of food and beverage testing, protocols, and workflows? Will you be doing the footwork to add them, or will the vendor of your system support you in that effort? If you're a start-up, will your lab be focusing solely on a specific type of food testing and expand into other types of analytical work later, or will your test menu need to be much broader right from the start? In most of these cases, you'll desire a LIMS that is flexible enough to allow for not only running the specific tests you need now, but also sufficiently expandable for any future testing services your lab may conduct in the mid- and long-term. Having the ability to create and customize sample registration screens, test protocols, labels, reports, specification limit sets, measurement units, and substrates/matrices while being able to interface with practically most any instrument and software system required will go a long way towards making your expanding test menu and workflows integrates as smoothly as possible.

Such a system will typically be marketed as being highly user-configurable, giving labs a relatively painless means to adapt to rapid changes in test volume and type over time. However, once you've internally addressed current and anticipated future growth, your lab will want to learn what explicitly makes any given vendor's system user-configurable. How easy is it to configure the system to new tests? Add custom reports? What knowledge or skills will be required of your lab in order to make the necessary changes, i.e., will your staff require programming skills, or are the administrator and advanced user functions robust enough to make changes without hard-coding? These and other such questions should be fully addressed by the vendor in order to set your mind at ease towards a system's stated flexibility. Ultimately, you want the system to be flexible enough to change with the laboratory—and industry—itself, while minimizing overall costs and reducing the time required to make any necessary modifications.

3.1.6 Cost considerations

First, you'll want to be clear on what will be included in the sales agreement. Whether through an estimate or statement of work (SOW), it is important it includes exactly what is expected, being as specific as possible, since this will be the entire contractual obligation for both you the buyer and them the vendor. Note that line items may differ slightly from system to system, according to what features and functions are included by default with each vendor's solution and which, if any, are additional. Also keep in mind that any hourly amount in the the estimate or SOW is usually a best estimate; however, if sufficient attention to detailed requirements has been given, then it should be quite accurate, and in fact the final cost may even be below the quoted cost if you prioritize your own obligations so that the vendor's hours are used sparingly and efficiently.

The estimate or SOW should optimally include:

  • licensing or subscription rates;
  • required core items to meet federal, state, and local regulations;
  • additional optional items and totals; and
  • required services (implementation, maintenance and support, optional add-ons).

There are two primary ways to price a laboratory informatics solution: a one-time license fee or a subscription rate (cloud-hosted software as a service [SaaS]). If you have your own dedicated IT department and staff, you may prefer the former (although many system administrators are just as happy to let it be hosted elsewhere rather than add to their workload). Otherwise, a SaaS subscription may well be the better and more cost-effective way to go (since the primary IT cost is simply internet access). This item will be part of your up-front cost and, in the case of subscription, it will also figure into your first year and ongoing costs; otherwise only associated maintenance, support, and warranty (MSW) will figure in. Typically, your first year's subscription costs will be due at signing. More often, the vendor may require three months or even the first year up front, so be prepared to factor that into up-front costs. However, it still is almost always less expensive at the outset (and over time, if you factor in IT costs and annual MSW) than paying for a license fee.

In addition to the two types of software pricing, there are also sub-types. Generally these are based on the number of users (or, in some cases, "nodes," which are simply any entities that access the informatics system, including other systems, instruments, etc.). How these are counted can vary.

  • Named users: This method bases pricing on the actual individual users of the system, even if they only log in sporadically. Users may not use each other's logins (this is a no-no regardless of pricing structure, for good laboratory practice and other regulatory reasons).
  • Concurrent users: This bases pricing on the maximum number of users who will be logged in at any given time. You can define an unlimited number of named users in the system, each with their own login credentials. However, only the number of concurrent users specified in the license or subscription may be logged in at any one time. For example, you may have 10 staff, but due to work processes, shifts, etc., only up to six might ever be logged in simultaneously. Whereas this would require a named user license for 10, it would only require a concurrent user license for six.
  • Unlimited users: In the case of very large labs (typically 30 to 50 and up), the license or subscription may simply be a flat fee that allows any number of users.

The line items in the estimate or SOW should reflect these nuances, as well as whether the listed costs are monthly or annual (for subscription services), hourly (typically for support and training), or a fixed one-time cost. Additionally, be cautious with fixed costs, as they typically represent one of two possible scenarios:

  1. Final fixed cost: In this case, the cost has been figured by the vendor so as to cover their worst-case hourly labor total. If a line item (e.g., an interface) is not "worst case," then you are overpaying.
  2. "Expandable" fixed cost: This is as bad as final fixed cost, and maybe even worse because it's almost a case of "bait-and-switch," popping up as a surprise. The initial "fixed cost" number is low, and additional hourly services are needed to actually deliver the item. This will have been provided for somewhere in the small print.

The bottom line is that everything in a laboratory informatics solution is really either licensing or hourly services. Just be careful if they are portrayed as anything else.

It is important to be clear which category each line item falls under when figuring costs: up-front (due upon signing), annual, or ongoing (e.g., SaaS subscription). It is useful to clearly lay out each and compute initial costs, as well as first-year and subsequent years' costings. For example, your initial obligation may be as little as your first year's subscription plus the first 40 hours of services. Different vendors have different policies, however, and you may be required to pay for your first full year's subscription and all services, or some other combination. Normally, though, any instrument interface or other service charges aren't due until the they are implemented, which may be a few weeks or even a month down the road. This may depend on your budget, complexity of the SOW, and urgency. Your first year's expenses will include everything, including initial license fees; all setup and training; any interfaces and additional configurations or customization; and first annual MSW. (If this isn't included in the SaaS subscription, then it usually commences on full system delivery). Afterwards, your subscription and MSW will be the only ongoing expenses (included as one in this example), unless you choose to have additional interfaces or other services performed at any time.


3.2 Implementation

If you've ever worked through a system implementation process with a vendor, it was hopefully a smooth process. However, there are plenty of horror stories out there, highlighting the need of the laboratory to discuss in detail how a potential vendor will handle installation, validation, and training for the informatics solution. Does the vendor truly understand the industry and your needs? Does the vendor assign a project manager who will work with you, from planning to go-live and beyond? Can they offer you references of other labs who have gone through implementation so you can compare notes with those labs? How much attention does the potential vendor give to related issues such as data integrity of migrated data? Do they have the means to properly handle your legacy data? And are they able to work with your schedule, even if it means implementing software at off-peak work hours?[14][15]

As you finally get down to the ultimate decision on which vendor to work with, you may wish to start setting up an implementation checklist as part of your early project planning. Do you receive a help desk account as part of the implementation process, and if so, what information is included? If not, you'll need to keep track of specific details such as business associate agreement (BAA), sales agreement, scope documents, welcome letters, documentation, and approved staff who can utilize the vendor's support. You'll likely need to share other configuration details with the vendor, including time zone requirements, DNS and URL requirements, up-time monitors, and administrative account requirements. Finally, you'll want to ensure you and the vendor are on the same page concerning any additional customization, integration, and system validation requirements, ensuring the roll-out period is pain-free and efficient.

3.2.1 Internal and external integrations

LabMachines.jpg

Laboratories acquire data management software for many reasons, including improving accuracy, saving time, increasing productivity, and adding capabilities. One way of doing all of those activities is to integrate or interface your systems, databases, and instruments so that human error is greatly reduced or eliminated, workflows are automated and sped up, and each component's capabilities are brought into play in the most efficient and effective ways possible. As such, you'll want to inquire with the vendor about its solution's hardware and software integration capabilities. Is it designed to interface with every laboratory instrument or software that can output any readable electronic file? Or are integrations limited to certain instruments and systems? How does it connect, i.e., what protocols does the software depend on to connect with other systems? Does the system allow a user to map their own file imports and exports? Can system processes be set to detect new instances of file outputs at regular intervals? Ask these and other questions to make sure the vendor clearly describes what internal and external integrations are supported with their application.

In many cases, a vendor's LIMS solution will have instrument integration capability built into the software, but occasionally such interfaces are separate from the main software. Today's instrument interfaces are generally built on standardized communication protocols such as RS-232, RS-422, IEEE-488 (GPIB), USB, Ethernet, and more.[16] The LIMS that can support such instrument integrations is increasingly vital to the food and beverage laboratory. Food and beverage labs may also want their laboratory informatics solution to be able to communicate with other software and databases. This is often done using application programming interfaces (APIs) that depend on web services implementation protocols such as REST and SOAP.[17][18][19] These messaging protocols actually allow for the creation of an API that receives communication requests and sends responses between two software systems. A more practical example is wanting your laboratory informatics solution to communicate with an enterprise resource planning (ERP) application. Perhaps the ERP system needs to create sample batches within the informatics solution, and when testing is done, have the results returned to the ERP. APIs and communication protocols make this happen.[18]


3.3 MSW, updates, and other contracted services

The maintenance, support, and warranty (MSW) offered with the vendor's solution is almost as important as the solution itself. The laboratory informatics solution you acquire is more than than the software you operate: it's mission-critical and deserves having a reliable and responsive team with the necessary resources to ensure it remains operational. Downtime can negatively affect both immediate customer satisfaction and your reputation. As such, it's imperative you ask the vendor about the details of its MSW, making sure you understand what is and isn't covered, as well as how much it will cost. Cost-wise, industry norms are anywhere from 15% to 25% of either the license fee or total contract, levied annually to provide this coverage.[20] Alternatively, it may simply be included with your subscription. The MSW will include a specified number of support and maintenance hours or guarantees. The actual warranty should be unlimited for as long as the MSW or subscription is kept current.

Maintenance includes any and all work necessary to keep your system working as designed. It should include updates, patches, or fixes, and most if not all upgrades. (Note, however, a major upgrade to a totally new edition may not be covered, but it may come at a negotiable, significantly lower cost.[21]) The support aspect of MSW generally consists of a specified number of hours dedicated more to helping you with the operation of the system rather than "fixing" anything. Support includes guidance on training, password or login support, and more. Finally, with any professional application you also expect to have a warranty. The warranty should cover anything that doesn't work that otherwise should for the designated period of time.[21] That includes any standard features and functions, as well as any additional ones that were delivered and signed off on, and any other work performed by the vendor or its representatives. However, a typical warranty does not cover anything that was working fine, but upon being manipulated in a way beyond normal operation the functionality ceased. In these cases, you'll probably have to pay to get it fixed.

Beyond the MSW, additional updates and services related to the system may also be required. No matter how well it is pre-configured, any professional laboratory informatics solution will require some amount of standard setup to reflect your particular lab. This includes adding lab branding and demographics for reports and certificates; entering users, their roles, and access permissions; adding and/or modifying tests and workflows; renaming fields; adding or hiding fields; setting up a web portal; and implementing interfaces. Equally indispensable is proper training for both users and administrators. And of course you may later find that you would like additional features or functions. These and other services may prove particularly useful to the laboratory with little in the way of IT and systems expertise. As such, the vendor may provide one or more of the following as a billable service for the laboratory:

  • initial implementation meeting (e.g., initial planning, identify delta, set schedule)
  • project management
  • requirements gathering and documentation
  • initial setup
  • user and administrator training
  • configuration and customization
  • interface development and implementation
  • custom screen and field development
  • custom functionality development
  • custom reports and labels
  • custom triggers and alerts
  • validation or acceptance testing (to a third-party standard or certification, or to agreed manufacturer specs)


3.4 How a user requirements specification fits into the entire process (LIMSpec)

Merriam-Webster defines a "specification" as "a detailed precise presentation of something or of a plan or proposal for something."[22] In other words, an existing or theoretical product, concept, or idea is presented in detail for a particular audience. In a broad sense, detailing the specifics about a project, concept, or idea to others is just common sense. This applies just as well to the world of software development, where a software requirements specification is essential for preventing the second most commonly cited reason for project failure: poor requirements management.[23]

In fact, the ISO/IEC/IEEE 29148:2018 standard (a conglomeration of what was formerly IEEE 830 and other standards) is in place to help specify "the required processes implemented in the engineering activities that result in requirements for systems and software products" and provide guidelines for how to apply those requirements.[24] The standard describes the characteristics that make up quality software requirement development, including aspects such as[25]:

  • correctly describing system behavior;
  • effectively removing ambiguity from the language used;
  • completely covering the system behavior and features;
  • accurately prioritizing and ranking the requirements; and
  • unequivocally ensuring the requirements are testable, modifiable, and traceable.

A requirement typically comes in the form of a statement that begins with "the system/user/vendor shall/should ..." and focuses on a provided service, reaction to input, or expected behavior in a given situation. The statement may be abstract (high-level) or specific and detailed to a precise function. The statement may also be of a functional nature, describing functionality or services in detail, or of a non-functional nature, describing the constraints of a given functionality or service and how it's rendered. An example of a functional software requirement could be "the user shall be able to query either all of the initial set of databases or select a subset from it." This statement describes specific functionality the system should have. On the other hand, a non-functional requirement, for example, may state "the system's query tool shall conform to the ABC 123-2014 standard." The statement describes a constraint placed upon the system's query functionality.

This is where a requirements specification shines, not only for the software developer but also for those acquiring the software. A set of development requirements, compiled in the form of a software requirements specification, can serve to strengthen the software development process. For those acquiring the software, a set of user requirements, compiled in the form of a user requirements specification (URS), can be used for the selection and acquisition of software or a service.[26][27] In the case of the URS, the acquiring business can approach this several ways. The simple way would be to essentially take the vendor at the word in regards to what they say their system can and can't do, agreeing formally to their description and taking responsibility that it will cover all the applicable regulations required by your business. However, this method isn't comprehensive and leaves the business open to not being able to fully meet its goals.[27]

The other method has the URS be specific to your business' needs. The process is more work but leaves less to chance.[27] Developing your own URS isn't always straightforward. Often times, the developed document turns into a mix of "wishlist" requirements from potential and active clients, as well as regulation-mandated requirements. The wishlist items aren't necessarily ignored by developers, but the URS should in fact clearly prioritize requirements as "nice to have" or "essential to system operation," or something in between.[28][29][30] Whatever the URS looks like in the end, it's ultimately up to the vendor to be able to demonstrate how the software does and does not meet its requirements.

In the latter half of this guide, you'll be given an opportunity to see an example of a URS for the food and beverage industry in the form of LIMSpec, an evolving set of software requirements specifications for laboratory informatics systems. Built from requirements found in ASTM E1578-18 Standard Guide for Laboratory Informatics, as well as dozens of other standards and regulations, we will use LIMSpec to demonstrate how a URS can be put to use, while also showing you how an informatics system can help you laboratory better meet regulatory requirements.

References

  1. Sobowale, J. (1 March 2017). "Law firms must manage cybersecurity risks". ABA Journal. American Bar Association. http://www.abajournal.com/magazine/article/managing_cybersecurity_risk/. Retrieved 06 December 2022. 
  2. Watney, C.; Draffin, C. (November 2017). "Addressing new challenges in automotive cybersecurity" (PDF). R Street Policy Study No. 118. R Street Institute. https://www.rstreet.org/wp-content/uploads/2018/04/118-1.pdf. Retrieved 06 December 2022. 
  3. Lewis, J.A. (21 February 2018). "Economic Impact of Cybercrime". Center for Strategic & International Studies. https://www.csis.org/analysis/economic-impact-cybercrime. Retrieved 06 December 2022. 
  4. "BLOG: Cost of Cyber Crime to Small Businesses". Virginia SBDC Blog. Virginia SBDC. 30 May 2017. Archived from the original on 05 July 2020. https://web.archive.org/web/20200705061737/https://www.virginiasbdc.org/blog-cost-of-cyber-crime-to-small-businesses/. Retrieved 06 December 2022. 
  5. "Hiscox Cyber Readiness Report 2019" (PDF). Hiscox Ltd. April 2019. https://www.hiscox.com/documents/2019-Hiscox-Cyber-Readiness-Report.pdf. Retrieved 06 December 2022. 
  6. Galvin, J. (7 May 2018). "60 Percent of Small Businesses Fold Within 6 Months of a Cyber Attack. Here's How to Protect Yourself". Inc.com. https://www.inc.com/joe-galvin/60-percent-of-small-businesses-fold-within-6-months-of-a-cyber-attack-heres-how-to-protect-yourself.html. Retrieved 06 December 2022. 
  7. Grima, M. (15 June 2022). "Top reasons why WordPress websites get hacked (and how you can stop it)". WP White Security. https://www.wpwhitesecurity.com/why-malicious-hacker-target-wordpress/. Retrieved 06 December 2022. 
  8. Moen, D. (19 April 2016). "What Hackers Do With Compromised WordPress Sites". Wordfence Blog. Defiant, Inc. https://www.wordfence.com/blog/2016/04/hackers-compromised-wordpress-sites/. Retrieved 06 December 2022. 
  9. Talaleve, A. (22 February 2022). "Website Hacking Statistics You Should Know in 2022". Patchstack. https://patchstack.com/articles/website-hacking-statistics/. Retrieved 06 December 2022. 
  10. 10.0 10.1 Cite error: Invalid <ref> tag; no text was provided for refs named DouglasComp20
  11. "security control". Computer Security Resource Center. National Institute of Standards and Technology. 2019. https://csrc.nist.gov/glossary/term/security_control. Retrieved 06 December 2022. 
  12. 12.0 12.1 Ciocoui, C.N.; Dobrea, R.C. (2010). "Chapter 1. The Role of Standardization in Improving the Effectiveness of Integrated Risk Management". In Nota, G.. Advances in Risk Management. IntechOpen. doi:10.5772/9893. ISBN 9789535159469. 
  13. 13.0 13.1 "Data Standardization: A Call to Action" (PDF). JPMorgan Chase & Co. May 2018. https://www.jpmorganchase.com/content/dam/jpmc/jpmorgan-chase-and-co/documents/call-to-action.pdf. Retrieved 06 December 2022. 
  14. Wagner, M. (10 October 2019). "7 Software Implementation Challenges and How to Solve Them". WalkMe Blog. WalkMe Ltd. https://blog.walkme.com/7-software-implementation-challenges/. Retrieved 06 December 2022. 
  15. Mura, A. (12 July 2018). "Bullet-Proof Software Implementation Plan: Challenges and Tactics". Userlane Digital Adoption Blog. Userlane GmbH. https://www.userlane.com/software-implementation-plan/. Retrieved 06 December 2022. 
  16. Williams, C.D.H.. "Computer Interfaces for Instrumentation Systems". University of Exeter. https://newton.ex.ac.uk/teaching/CDHW/Interfaces/. Retrieved 06 December 2022. 
  17. Monus, A. (17 October 2022). "SOAP vs REST vs JSON - a 2023 comparison". Raygun. https://raygun.com/blog/soap-vs-rest-vs-json/. Retrieved 06 December 2022. 
  18. 18.0 18.1 LabVantage Solutions (7 January 2018). "A Quick Guide to LIMS Web Services". LabVantage Solutions, Inc. https://www.labvantage.com/a-quick-guide-to-lims-web-services/. Retrieved 06 December 2022. 
  19. Grand, A.; Geda, E.; Mignone, A. et al. (2019). "One tool to find them all: A case of data integration and querying in a distributed LIMS platform". Database 2019: baz004. doi:10.1093/database/baz004. 
  20. Scavo, F. (8 February 2005). "High Software Maintenance Fees and What to Do About Them". Computer Economics. https://www.computereconomics.com/article.cfm?id=1033. Retrieved 06 December 2022. 
  21. 21.0 21.1 Gordon-Byrne, G. (2014). "Maintenance in the Digital World". IT Performance Improvement. Taylor & Francis, LLC. Archived from the original on 05 May 2021. https://web.archive.org/web/20210505220938/http://www.ittoday.info/ITPerformanceImprovement/Articles/2014-08GordonByrne2.html. Retrieved 06 December 2022. 
  22. "specification". Merriam-Webster. Merriam-Webster, Inc. https://www.merriam-webster.com/dictionary/specification. Retrieved 06 December 2022. 
  23. Bieg, D.P. (August 2014). "Introduction" (PDF). Requirements Management: A Core Competency for Project and Program Success. Project Management Institute. p. 3. https://www.pmi.org/-/media/pmi/documents/public/pdf/learning/thought-leadership/pulse/requirements-management.pdf. Retrieved 06 December 2022. 
  24. "ISO/IEC/IEEE 29148:2018". International Organization for Standardization. November 2018. https://www.iso.org/standard/72089.html. Retrieved 06 December 2022. 
  25. Seibert, P. (28 July 2011). "How do you write software requirements? What are software requirements? What is a software requirement?". HubTechInsider. https://hubtechinsider.wordpress.com/2011/07/28/how-do-you-write-software-requirements-what-are-software-requirements-what-is-a-software-requirement/. Retrieved 06 December 2022. 
  26. Memon, A. (Spring 2010). "Software Requirements: Descriptions and specifications of a system" (PDF). University of Maryland. https://www.cs.umd.edu/~atif/Teaching/Spring2010/Slides/3.pdf. Retrieved 06 December 2022. 
  27. 27.0 27.1 27.2 Schmitt, S. (2018). "User Requirements Specifications–How Difficult Can It Be?". Pharmaceutical Technology 42 (11): 58. https://www.pharmtech.com/view/user-requirements-specifications-how-difficult-can-it-be-0. Retrieved 06 December 2022. 
  28. Aasem, M.; Ramzan, M.; Jaffar, A. (2010). "Analysis and optimization of software requirements prioritization techniques". Proceedings from the 2010 International Conference on Information and Emerging Technologies: 1–6. doi:10.1109/ICIET.2010.5625687. 
  29. Hirsch, J. (22 November 2013). "10 Steps To Successful Requirements Gathering". Phase2 Technology, LLC. https://www.phase2technology.com/blog/successful-requirements-gathering. Retrieved 06 December 2022. 
  30. Burris, E. (2007). "Requirements Specification". CS451R, University of Missouri–Kansas City. University of Missouri–Kansas City. Archived from the original on 25 September 2019. https://web.archive.org/web/20190925003040/http://sce2.umkc.edu/BIT/burrise/pl/requirements/. Retrieved 06 December 2022. 
Retrieved from "https://www.limswiki.org/index.php?title=User:Shawndouglas/sandbox/sublevel9&oldid=50443"