U. S. Department of Energy
Consolidated Audit Program
Checklist 5
Laboratory Information Management Systems
Electronic Data Management
Revision 4.3 – March 2017
Use of this DOECAP checklist is authorized only if the user has satisfied the copyright restrictions associated with TNI-EL-V1-2009 and ISO 17025:2005. DOECAP does not control or restrict the use of copyrighted standards that have been incorporated into this checklist; however, TNI and ISO do restrict use of their standards.
Audit ID: / Date:U.S. Department of Energy Consolidated Audit Program
Laboratory Information Management Systems Electronic Data Management
/ DOECAP Audit Checklist: 5 Rev. 4.3Effective Date: March 2017 Page 15 of 15
Audit ID: Laboratory: Auditor:
Areas of Review During Audit
__ Personnel / __ Hardware / __ LIMS Data
__ Facilities / __ Software / __ Complaints
__ Security
Status Key:
A = Acceptable U = Unacceptable NA = Not Applicable NO = Not Observed F = Finding O = Observation
Referenced regulations are accessible at the following URLs:
· http://www.p2s.com/?page_id=1526
NOTE:
· When audit findings are written against site-specific documents (i.e., SOPs, QA Plans, licenses, permits, etc.), a copy of the pertinent requirement text from that document must be attached to this checklist for retention in DOECAP files.
· Fully document any deviation from the LOI or the requirements of the QSM.
· Refer to Page 15 for the record of revision.
· EPA 2185 GALP has not been updated since 1995, but the content of the document are still relevant to the DOECAP laboratory audits. The date of the last release was 9/10/1995.
Item Number / Line of Inquiry / Status / Summary of Observations/Objective Evidence
Reviewed Audit Notes /
1.0 / Personnel
1.1 / Do the LIMS and electronic data management support staff and users have adequate education, training and experience to perform the assigned LIMS functions?
QSM, Rev. 5.0, Module 2, Section 4.2.3, a), ISO 17025. Clause 4.2.3, EPA 2185 GALP, 8/10.1995, Section 8.2.1, pg. 1-9
1.2 / Has the technical staff demonstrated capability in the activities for which they are responsible?
QSM Rev. 5.0, Module 2, Section 4.2.3, b), ISO 17025, Clause 4.2.3
1.3 / Is the demonstration of capability for technical staff recorded?
QSM Rev. 5.0, Module 2, Section 4.2.3, b), ISO 17025, Clause 4.2.3
1.4 / Is the training for each member of the technical staff kept up-to-date (on-going)?
QSM Rev. 5.0, Module 2, Section 4.2.3, c), ISO 17025, Clause 4.2.3
1.5 / Does the training file for each employee contain a certification that the employee has read, understands and is using the latest version of the management system records relating to his/her job responsibilities?
QSM Rev. 5.0, Module 2, Section 4.2.3, c) (i, ISO 17045, Clause 4.2.3
1.6 / Are the QA personnel entirely separate from and independent of the LIMS personnel?
ISO/IEC 17025, 4.1.5 I0, EPA 2185 GALP, Section 8.3.1, pg. 1-10
1.7 / Do the QA personnel report directly to laboratory management?
ISO/IEC 17025, 4.1.5 I0, EPA 2185 GALP, 9/10/1995, Section 8.3.1, pg. 1-10
1.8 / Does the laboratory have a procedure to ensure individual user names and passwords are required for all LIMS users and that those passwords are changed at least once per year?
QSM Rev.5.0, Module 2, Section 5.4.7.2, d), ISO 17025, Clauses 5.4.7.2, a – c
See Checklist 1, LOI 19.9
2.0 / LIMS Data
2.1 / Are periodic inspections (at least annually) of the LIMS operations performed by the QA unit to ensure the integrity of LIMS data?
QSM Rev. 5.0, Module 2, Section 5.4.7.2; f, ISO 17025 Clauses 5.4.7.2, a - c
2.2 / Does the QA unit maintain records of inspections and does QA submit reports to laboratory management noting any problems identified with LIMS data processing and stating the corrective actions taken?QSM Rev. 5.0, Module 2, Section 5.4.7.2; f, ISO 17025 Clauses 5.4.7.2, a - c
2.3 /
Does an SOP exist for the manual entry of raw data from analytical measurements when there is not a direct interface to the LIMS, e.g., double key entry, single entry with secondary review, etc.?
QSM Rev. 5.0, Module 2, Section 4.2.8.4 u), ISO/IEC 17025, 5.4.7.1
See Checklist 1, LOI 19.112.4 / Does an SOP exist for making changes to electronic data?
QSM Rev.5.0, Module 2, Section 4.2.8.4, v.; ISO 17025 Clauses 5.4.7.2, a – c, EPA 2185, GA:P GALP, 9/10/1995,Section 8.4.5, pg. 1-11
See Checklist 1, LOI 19.11
2.5 / Does an SOP exist for how electronic data are processed, maintained, and reported by the LIMS?
QSM Rev. 5.0, Module 2, Section 4.2.8.4, w
2.6 / Does an SOP exist for the retention of electronic data, documentation, and records pertaining to the LIMS?
QSM Rev.5.0, Module 2, Section 4.2.8.4 t) and 5.4.7.2, i) v), EPA 2185
GALP, , 9/10/1995, Section 8.9, pg. 1-13
See Checklist 1, LOI 19.11
2.7 / Are the individual(s) responsible for entering and recording LIMS raw data uniquely identified when the data are recorded?
EPA 2185 GALP, , 9/10/1995, Section 8.4.2, pg. 1-11
2.8 / Is the instrument transmitting LIMS raw data uniquely identified when the data are recorded?
EPA 2185 GALP, , 9/10/1995, Section 8.4.3, pg. 1-11
See Checklist 1, LOI 19.3
2.9 / Are the time(s) and date(s) documented?
EPA 2185 GALP, Section 8.4.3, pg. 1-11
See Checklist 1, LOI 19.4
2.10 / Are the procedures and practices for making changes to LIMS raw data documented and does the documentation provide evidence of the change and preserve the original recorded documentation (see 2.8 and 2.9)?
· Documentation is dated?
· Documentation indicates the reason for the change?
· Documentation identifies the person who made the change if different?
· Documentation identifies the person who authorized the change?
QSM Rev. 5.0, Module 2, Section 4.2.8.4, v, EPA 2185 GALP, 9/10/1995, Section 8.4.5, pg. 1-11
See Checklist 1, LOI 19.5
3.0 / Software
3.1 / Does an SOP exist for software development methodologies that are based on the size and nature of the software being developed?
QSM Rev. 5.0, Module 2, Section 5.4.7.2, i) i)
3.2 / Does an SOP exist for testing and QA methods to ensure that all LIMS software accurately performs its intended functions?
Does the SOP include:
· acceptance criteria;
· tests to be used;
· personnel responsible for conducting the tests;
· records of test results;
· frequency of continuing verification of the software, and,
· test review and approvals?
QSM Rev. 5.0, Module 2, Section 5.4.7.2, i) ii)
3.3 / Does an SOP exist for software change control methods that include instructions for requesting, authorizing, requirements to be met by the software change, testing, QC, approving, implementing changes, and establishing priority of change requests?
QSM Rev. 5.0, Module 2, Section 5.4.7.2, i) iii)
3.4 / Does an SOP for software version control methods exist that document the LIMS software version currently used?
QSM Rev. 5.0;Module 2, Section 5.4.7.2, i)iv)
3.5 / Are data sets documented with the date and time of generation and/or the LIMS software version used to generate the data set?
QSM Rev. 5.0; Section 5.4.7.2, )iv)
3.6 / Does an SOP exist for maintaining a historical file of software, software operating procedures, software changes, and software version numbers?
QSM Rev. 5.0, Module 2, Section 5.4.7.2, i) v)
3.7 / Are records available in the laboratory to demonstrate the validity of laboratory-generated software?
QSM Rev. 5.0, Section 5.4.7.2, j)
3.8 / Does the facility Software Change Control documentation identify:
· persons requesting and authorizing software changes?
· requirements to be met by the change?
· measures for testing and QA?
· approving changes?
· implementing changes?;
· establishing priority of change requests?
QSM Rev. 5.0, Module 2, Section 5.4.7.2, i) iii)
See Checklist 1, LOI 19.6
3.9 / Are records available to demonstrate the validity of laboratory-generated software?
Do the records include:
· Software description and functional requirements?
· Listing of algorithms and formulas?
· Testing and QA records? and
· Installation, operation, and maintenance records?
QSM Rev. 5.0, Module 2, Section 5.4.7.2, j)
3.10 / Do software historical files of all versions of software programs exist and include dates that software was placed into and removed from production?
QSM Rev. 5.0, Module 2, Section 5.4.7.2, i) v)
3.11 / Are the equations used in spreadsheets verified before initial use and after any changes to the equations or formulas?
QSM Rev. 5.0, Module 2, Section 5.4.7.2, h)
3.12 / Are software revision updates, and records available for review?
QSM Rev. 5.0, Module 2, Section 5.4.7.2, h)
3.13 / Are formula cells write-protected to minimize inadvertent changes to the formulas?
QSM Rev. 5.0, Module 2, Section 5.4.7.2, h)
3.14 / Do printouts from any spreadsheets include all information used to calculate the data?
QSM Rev. 5.0, Module 2, Section 5.4.7.2, h)
4.0 / Security
4.1 / Upon employment, do employees receive initial training in computer security awareness and have ongoing refresher training on an annual basis?
QSM Rev. 5.0, Module 2, Section 5.4.7.2, e; k) iii)
See Checklist 1, LOI 19.10
4.2 / Is the documentation of this training maintained and available for review?
QSM Rev. 5.0, Module 2, Section 5.4.7.2, e; k) iii)
See Checklist 1, LOI 19.10
4.3 / Are the operating system privileges and file access safeguards implemented to restrict the use of LIMS data to users with authorized access?
QSM Rev. 5.0, Module 2, Section 5.4.7.2, d; k) ii)
See Checklist 1, LOI 19.7
4.4 / Are system events, such as log-on failures or break-in attempts monitored?
QSM Rev. 5.0, Module 2, Section 5.4.7.2, k) iv)
4.5 / Is the electronic data management system protected from the introduction of computer viruses?
QSM Rev. 5.0, Module 2, Section 5.4.7.2, k) v)
See Checklist 1, LOI 19.8
4.6 / Do emergency, backup, disaster recovery, and contingency plans exist for the LIMS?
EPA 2185 GALP, 9/10/1995, Section 8.6 Security, Section V. Risk Management, pg. 2-84 – 2-85
4.7 / Do system backups occur on a regular and published schedule and can the system backups be performed by more than one person within the organization?
QSM Rev. 5.0, Module 2, Section 5.4.7.2, k) vi), EPA 2185 GALP, 9/10/1995, Section 8.6, Security, Section V. Risk Management, pg. 2-84 – 2-85
See Checklist 1, LOI 19.1
4.8 / Are tests of the system backups performed and recorded to demonstrate that the backup systems contain all required data?
QSM Rev. 5.0, Module 2, Section 5.4.7.2, k) vii)
See Checklist 1, LOI 19.2
4.9 / Is the physical access to the servers limited by security measures such as locating the system within a secured facility or room, and/or utilizing cipher locks or key cards?
QSM Rev. 5.0, Module 2, Section 5.4.7.2, k) viii)
4.10 / Are fire extinguishers that are designed to avoid damage to computer equipment available and mounted in visible, accessible areas?
EPA 2185 GALP, 9/10/1995, Section 8.6 Security, Section VI. Minimum Safeguards by Asset, Section C. Data Center Computing. 3. Physical and Environmental Safeguards, pg. 2-96
See Checklist 1, LOI 19.12
5.0 / Hardware
5.1 / Is a description of the LIMS design and capacity documented and maintained?
QSM Rev. 5.0, Module 2, Section 5.4.7.2, j) i), EPA 2185 GALP, 9/10/1995, Section 8.7.1, pg. 1-12
5.2 / Is an SOP established and maintained that defines the acceptance criteria, testing, documentation, and approval required for changes to the LIMS hardware and communications components?
QSM, Rev. 5.0, Module 2, Section 4.2.8.5, xxv) & 5.4.7.2, i) vi), EPA 2185 GALP, 9/10/1995, Section 8.7.2, pg. 1-13
5.3 / Is the documentation of the regularly scheduled maintenance for LIMS hardware and communications components maintained and does it include:
· A descriptions of operations performed?
· The names of the persons who conducted them?
· The dates operations were performed?
· The results?
EPA 2185 GALP, Section 8.7.3, pg. 1-13
5.4 / Does the documentation of non-routine maintenance include:
· A description of the problem?
· A corrective action?
· The acceptance testing criteria?
· The testing that was performed to ensure the LIMS hardware and communications components have been adequately repaired?
EPA 2185 GALP, 9/10/1995, Section 8.7.3, pg. 1-13
5.5 / Do SOPs exist for routine operations of hardware?
EPA 2185 GALP, 9/10/1995, Section 8.7.3, pg. 1-13
5.6 / Is documentation of routine operations of hardware maintained?
EPA 2185 GALP, 9/10/1995, Section 8.7.3, pg. 1-13
5.7 / Does the facility have a procedure to notify the customer prior to changes in LIMS software or hardware configuration that will adversely affect customer electronic data?
QSM Rev. 5.0, Module 2, Section 5.4.7.2, g
5.8 / Has a Disaster Recovery Plan been developed?
EPA 2185 GALP, Section 8.6, Security, Section VI. Minimum Safeguards by Asset, Section C. Data Center Computing, 4. Backups, pg. 2-96 - 2-97
5.9 / Has the Disaster Recovery Plan been tested on a regular and published schedule?
EPA 2185 GALP, Section 8.6, Security, Section VI. Minimum Safeguards by Asset, Section C. Data Center Computing, 4. Backups, pg. 2-96 - 2-97
6.0 / Facilities
6.1 / Are the servers located in a temperature-controlled environment with adequate ventilation?
EPA 2185 GALP, 9/10/1995, Section 8.6 Security, Section VI. Minimum Safeguards by Asset, Section C. Data Center Computing. 3. Physical & Environmental Safeguards, pg. 2-89
6.2 / Are the LIMS and associated communications components protected through the use of surge protectors and connection to an uninterrupted power supply?
EPA 2185 GALP, 9/10/1995, Section 8.6 Security, Section VI. Minimum Safeguards by Asset, Section A., Stand-Alone Computing, Section 3. Physical and Environmental Safeguards, pg. 2-89
6.3 / Is environmentally adequate storage space provided for the retention of LIMS data storage media and hard copy records?
EPA 2185 GALP, 9/10/1995, Section 8.10 Facilities, 2 LIMS Raw Data Storage, pg. 2-118
6.4 / Are long-term archival copies of LIMS backup media stored in an offsite location with the same environmental control and security systems required of onsite storage facilities?
EPA 2185 GALP, 9/10/1995, Section 8.10 Facilities, 2 LIMS Raw Data Storage, pg. 2-118
7.0 / Electronic Data Deliverables
7.1 / Does an SOP exist for how electronic deliverables are processed, maintained and reported?
QSM Rev. 5.0, Module 2, Section 4.0, 4.2.8.4, w; TNI EL-V1 -2009, Section 4.2.8.4 d)
7.2 / Does an SOP exist for verifying that electronic data deliverables match hardcopy report forms (for clients requiring both)?
QSM Rev. 5.0, Module 2, Section 4.0, 4.2.8.4, x); TNI EL-V1 -2009, Section 4.2.8.4 p)
7.3 / Does an SOP exist for handling and documenting client-requested modifications to electronic data deliverable formats?
QSM Rev. 5.0, Module 2, Section 4.0, 4.2.8.4, v)
7.4 / Are the hardcopy data reporting forms and electronic data deliverables created from the same source?
QSM Rev. 5.0, Module 2, Section 4.0, 4.2.8.4, s) – aa); TNI EL-V1 -2009, Section 4.2.8.4 a) – r)
7.5 / Does a corrective action plan exist for resolving discrepancies between electronic data deliverables and hard copy report forms?
QSM Rev. 5.0, Module 2, Section 4.0, 4.2.8.4, t & Section 4.11; TNI EL-V1-2009, Section 4.2.8.4 l) – n) / .
Notes: