Lab Data Management Customized for Compliance

Foundation of DECIDE4ACTION

Streamlined for success

LAB4ACTION is a complete Lab Information Management System (LIMS) that eliminates the need for paper based data collection. It streamlines quality management by moving it from the lab and into the production workplace. Organizations can avoid compromising the quality and consistency of captured data. With LAB4ACTION, Quality Assurance leaders create a seamless organization where everyone involved has access to the checks, testing and data required to make sound decisions that directly affect operational quality.

Designed for Compliance

customized to meet your needs

DECIDE4ACTION  uses The Food and Drug Administration’s (FDA) industry guidance and expectations for the role of data integrity in current good manufacturing practices (CGMP) as a measuring stick with which to design and evaluate our methods and processes. Our approach is that all data should be reliable, accurate, recorded, maintained and secure. Using the FDA and CGMP as our barometer, the recommended guidance and current regulations allow for risk-based, flexible strategies for organizations to prevent and detect issues with data integrity.  Per the FDA via its final industry guidance, “Firms should implement meaningful and effective strategies to manage their data integrity risks based on their process understanding and knowledge management of technologies and business models.”

the FDA recommends the following

When considering how to meet many of these regulatory requirements, it may be useful to ask the following questions:

  • Are controls in place to ensure that data is complete?
  • Are activities documented at the time of performance?
  • Are activities attributable to a specific individual?
  • Can only authorized individuals make changes to records?
  • Is there a record of changes to data?
  • Are records reviewed for accuracy, completeness, and compliance with established standards?
  • Is data maintained securely from data creation through disposition after the record’s retention period?

Source: Data Integrity and Compliance With Drug CGMP Questions and Answers Guidance for Industry

LAB4ACTION: Designed for Compliance

LAB4ACTION provides client-customization in order to not only address specific client needs such as terminologies, calculations, specifications, reporting and processes, but also to adapt to, address and conform to  various industry compliance and regulatory requirements, i.e. FDA, ISO, SQF, CLIA, HIPAA, CFR Part 11, GDPR, MHRA, etc. DECIDE4ACTION solutions such as LAB4ACTION are designed to support organizations in meeting compliance and regulatory guidance associated with data management in temporary memory.

Below is how LAB4ACTION’s architecture, design and functionality addresses regulatory compliance demands:

Regulatory Specification

Introduce a mechanism to authenticate protected information, i.e. ePHI
  • Incorporates industry-standard protocol for authorization (OAuth2)
  • Architecture and mechanism in place to confirm whether protected information has been altered or destroyed in an unauthorized manner
  • Captures, documents and maintains historical records of individual user access with time/date stamp of access

Regulatory Specification

Implement tools for encryption and decryption
  • Enhanced security available at the data level via AES256 encryption
  • Encryption/Decryption of Messages via TCP/TLS

Regulatory Specification

Facilitate automatic log-off of PCs and devices
  • Prevents unauthorized access of protected information on unattended devices by logging authorized personnel off of the device they are using to access or communicate protected information after a pre-defined period of time
  • JWTs automatically expire after a period of non-activity, locking access to the RESTful API

Regulatory Specification

Ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency
  • Ability to generate/print reports to access data captured by LAB4ACTION. Reports can be pulled for any range of dates
  • Ability to digitally sign records in the system. Digital signature will automatically capture timestamp, User ID and status of record review (Verified for Accuracy, Completeness & Compliance; Frequency Met; Comments etc)

Regulatory Specification

Protection of records to enable their accurate and ready retrieval throughout the records retention period
  • Deleted records are archived for possible retrieval and to ensure complete data integrity
  • Role-based security limiting who can add/alter/delete records

Regulatory Specification

Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify or delete electronic records
  • Server automatically generates record containing User ID and timestamp for each data modification

Regulatory Specification

Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand
  • Access to the system is only granted to users who have a valid role in the system
  • Granular access to different functions is controlled on a role basis within the system

Regulatory Specification

Controls for open systems corresponding to controls for closed systems bulleted above (§11.30)
  • DECIDE4ACTION systems like LAB4ACTION support secure HTTP (HTTPS) and SSL session encryption to protect sessions and records from unauthorized access.
  • RESTful API will fail to respond to queries not containing a signed JSON Web Token. JWTs can be signed using either HS256 or RS256

Regulatory Specification

Implement a means of user access control to authorized individuals
  • REST API encrypted via industry-standard secure JSON (JWT) web tokens
  • Assigns centrally-controlled unique username and code for each user

Regulatory Specification

Introduce activity logs and audit controls
  • System produces real-time, computer-generated, time-stamped audit trails ensure the trustworthiness and reliability of the records
  • System automatically captures, identifies and records data & configuration changes such as user ID, date/time, original value, new value, etc.
  • Maintains strict audit controls by registering attempted access to protected information and maintains historical records of what is done with that data once it has been accessed
  • Any data entered manually is checked versus specifications predefined by the client
  • System automatically logs system failures and errors
  • All audit trails are available for real-time and historical viewing and reporting

Regulatory Specification

Validation of Systems to ensure accuracy, reliability, consistent intended performance and the ability to discern invalid or altered records
  • Periodic validation testing to confirm integrity of functionality changes
  • In-application prompts and warnings before administrators toggle settings which affect product functionality
  • Automatic capture of User ID, timestamp, old & new values for all changes. Capture of “non-authorized” changes via database tools

Regulatory Specification

Limiting system access to authorized individuals
  • Role based security linked to individual user accounts limiting scope of accessible functions
  • System access only granted to approved users using unique user account and password
  • 0Auth2.0 protocol

Regulatory Specification

Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate
  • Tests and transactions are configured in a stepwise manner (further test cannot be started without having completed the previous one). System users are constrained to execute data capture within the permitted sequence
  • Sequence of data collection is captured automatically by the server

Regulatory Specification

Use of device (e.g. terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction
  • LAB4ACTION has the ability to capture device IP Address and to blacklist specific addresses. Static IP Addresses can be assigned to unique codes automatically generated for each device. Implementation of this must be done on the client’s server system

Regulatory Specification

Requirements related to electronic signatures (e.g., §§ 11.50, 11.70, 11.100, 11.200, and147 11.300)
  • DECIDE4ACTION systems like LAB4ACTION incorporate electronic/digital signatures, featuring username/password combinations along with user initials and data/time stamped security