Regulations

Learn / Regulations

Regulations

For quality control laboratories, there can be quite a few regulations to follow depending on the industry you serve. We have outlined below common regulations of the pharma industry with their requirements and guidelines describing some areas that should be assessed when implementing and maintaining a LIMS for your laboratory operations.

ISO 9001

Laboratories operating to ISO 9001 standards will have a general framework in place for quality management which helps them deliver a consistent product and service enhancing their customer satisfaction. This standard is generic and is not specific for laboratories; however, there will be some requirements of the standard you should consider when implementing a LIMS:

  • Resources

    – Your organisation is required to determine and provide resources needed. This also includes identifying those resources that are obtained from external providers.
  • Documented Information

    – As a LIMS is used to store documented information, be sure that the access, storage, retrieval, control of changes, retention and disposition of data within the system is aligned with the requirements of your quality management system.
  • Control of externally provided processes, products and services

    – Where your LIMS is a hosted solution, be sure to have a documented contract or SLA in place that details your requirements for their service and their responsibilities. As good practice, you should define criteria for evaluation, selection, monitoring of performance and re-evaluation of your suppliers.

ISO 17025

The ISO 17025 standard is designed specifically for quality management for laboratories of all types. Where a lab complies with ISO 17025, they will operate a quality management system that also meets the requirements of ISO 9001. Therefore, highlighted below are some key areas of this standard which are different to those of 9001 that should be considered when using a LIMS:

  • Document Control

    – There are specific requirements regarding changes to documentation. You should have procedures that detail how changes in documentation that is maintained within a computerized system such as a LIMS are created and controlled.
  • Control of Records

    – Laboratories should maintain a procedure for identification, collections, indexing, access, filing, storage, maintenance and disposal of quality and technical records. As a LIMS is used to record and store records, you should ensure your procedures cover the use of your LIMS. It would be beneficial to describe where and how records are held secure and in confidence, and also how records stored electronically are backed-up and data integrity is maintained. Furtherrequirements are specified for technical records. These requirements would also apply to the functionality with your LIMS. For example, observations, data and calculation shall be recorded at the time they are made and identifiable to a specific task. This could be translated to the recording of test results via equipment integration for a sample against a particular test method in your LIMS. In addition, where mistakes occur, the original record should not be erased or deleted. This should be key functionality in your LIMS to ensure edits do not overwrite original data entries.
  • Control of Data

    – Where computer software is used for processing, recording, storage and retrieval of test data, the laboratory must ensure that the software is fit for purpose and can maintain the integrity of test data. Bespoke software developed by the laboratory itself should be suitably validated as being adequate for use. Commercial of the shelf software (COTS) maybe be considered sufficiently validated; however, the laboratory should validate the configuration. Procedures should also be implemented for protecting data integrity, confidentiality, entry, storage, transmission and processing. Where any of the above is completed by the supplier as part of a hosted solution, a contract or SLA should be in place to detail the responsibilities of your supplier.
  • Reporting Results

    – Your LIMS may automate results reporting for you. Therefore, you should ensure your LIMS has the functionality to meet the requirements of this standard. Most LIMS have a reporting package that allows you to customise reports. As a guideline, your LIMS should include the following on your electronically generated Test Reports:
    • A title
    • The name and address of the laboratory
    • Unique identifier and page number
    • The name and address of the customer
    • Identification of the method used
    • A description of the items tested
    • The date of receipt of the test items
    • Reference to the sampling plan and procedures used by the laboratory
    • The test results
    • The name, function and signature of the person authorising the report
    • Where relevant, a statement to the effect that the results relate to only the items tested
    • Interpretations of the results where applicable/necessary
    • Results of sampling where necessary for the interpretation of the results

GMP and GAMP

GMP, known as Good Manufacturing Practice, is the generic practice for the manufacture of pharmaceuticals and is enforced by different regulatory bodies for each country across the world (e.g. the MHRA in the UK and the FDA in the US). Each regulatory body may also publish their own respective guidelines for companies to implement GMP to assure products are manufactured to a high quality and do not pose a risk to consumers or patients. Example guidelines are the Orange Guide by the MHRA and 21 Code of Federal Regulations (CFR) by the FDA.

GAMP, known as Good Automated Manufacturing Practice, is a publication to provide guidance to achieve computerized systems that are fit for intended use and meet current GxP regulatory requirements (‘x’ can be interchanged with acronyms other than ‘M’ such as ‘C’ for Clinical or ‘D’ for Distribution).

Annex 11 of the Orange Guide describes the UK GMP guidance for the use of Computerized Systems, and 21 CFR Part 11 details the US FDA regulations on electronic records and signatures. Click Here to download your 21 CFR Part 11 checklist. In the section below, we highlight a few key areas for consideration when implementing and maintaining a LIMS in a GMP environment. Please refer to your relevant regulatory authority GMP guidelines for full details.

Project Phase

LIMS used as part of GMP regulated activities should be validated. The validation process should be based on a risk assessment and would generally include the following documentation providing evidence your LIMS is fit for purpose:

  • Traceable user requirements which describe the required function of the system based on risk and GMP impact.
  • Suppliers should be assessed to ensure the system has been developed in accordance with an appropriate quality management system.
  • Evidence of test methods and test scenarios should be documented, especially around parameter limits, data limits and error handling.
  • Any changes or deviations during the validation process must be recorded and documented.
  • Where data is migrated, validation should include checks to ensure data integrity has been maintained.

Operational Phase

The guidance detailed for the operational phase for your LIMS focuses both on functionality required of the system as well as processes and documentation you should have in place to maintain your LIMS throughout its lifecycle. We have summarised five areas of guidance below:

  • Accuracy Checks – The functionality within your LIMS should include additional checks on the accuracy of data. It should be done by an independent and secondary operator by validated electronic means (typically using electronic signatures).
  • Data Storage – Whether you have an in-house or hosted solution, the data within your LIMS should be secured by both physical and electronic means. Regular back-ups should be performed and the integrity of the back-up data should be checked during validation and periodically throughout the lifetime of your LIMS.
  • Audit Trails – GMP-relevant changes and deletions should be recorded in a system generated “audit trail” which is not editable. These audit trails should be available and regularly reviewed.
  • Security – Many LIMS have user account functionality to restrict access to authorised persons. This is a key requirement of GMP where the extent of the security controls in place are appropriate to the criticality of the data being accessed. Creation, change or cancellation of access should also be recorded, and because LIMS is designed to manage GMP critical data, the system should record the identity of operators entering, changing confirming or deleting data including date and time.
  • Electronic Signature – Your LIMS should have electronic signature functionality which is permanently linked to their respective record, include the time and date it was applied and has the same impact as a hand-written signature with your company. There is further detailed requirements of electronic records and signatures in 21 CFR Part 11 that is also recognized by regulatory bodies other than the US FDA.

References:

ISO 9001:2015 Quality Management Systems – Requirements – ISO

EN ISO/IEC 17025:2005 General requirements for the competence of testing and calibration laboratories – ISO/IEC

Rules and Guidance for Pharmaceutical Manufacturers and Distributors 2014 – MHRA

Guidance for Industry Part 11, Electronic Records; Electronic Signatures – Scope and Application – US FDA 2003

GAMP Good Practice – A Risk-Based Approach to GxP Compliant Laboratory Computerized Systems Second Edition – ISPE 2012