Difference between revisions of "User:Shawndouglas/sandbox/sublevel21"

From LIMSWiki
Jump to navigationJump to search
Line 8: Line 8:
==Sandbox begins below==
==Sandbox begins below==


==31. Configuration Management==
==32. Configuration Management==
{|  
{|  
  | STYLE="vertical-align:top;"|
  | STYLE="vertical-align:top;"|
Line 19: Line 19:
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-1-1]
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-1-1]
   | style="background-color:white;" |'''31.1''' The system shall provide tools to enter and manage user-configurable lookup or master data.
   | style="background-color:white;" |'''32.1''' The system shall provide tools to enter and manage user-configurable lookup or master data.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-1-2]
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-1-2]
   | style="background-color:white;" |'''31.2''' The system shall allow authorized users to configure the specification limits for sample and instrument tests.
   | style="background-color:white;" |'''32.2''' The system shall allow authorized users to configure the specification limits for sample and instrument tests.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.law.cornell.edu/cfr/text/45/162.1002 45 CFR Part 162.1002]<br />[https://www.ams.usda.gov/datasets/pdp/pdp-standard-operating-procedures USDA Sampling Procedures for PDP 6.3.2]
   | style="padding:5px; width:500px;" |[https://www.law.cornell.edu/cfr/text/45/162.1002 45 CFR Part 162.1002]<br />[https://www.ams.usda.gov/datasets/pdp/pdp-standard-operating-procedures USDA Sampling Procedures for PDP 6.3.2]
   | style="background-color:white;" |'''31.3''' The system shall allow system nomenclature to be configured to use specific data code sets—such as the International Classification of Diseases or the Healthcare Common Procedure Coding System—or mandated terminology to support regulatory requirements.
   | style="background-color:white;" |'''32.3''' The system shall allow system nomenclature to be configured to use specific data code sets—such as the International Classification of Diseases or the Healthcare Common Procedure Coding System—or mandated terminology to support regulatory requirements.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-1-3]
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-1-3]
   | style="background-color:white;" |'''31.4''' The system should allow authorized personnel to configure the review and approval of multiple tests at the sample, batch, project, and experiment levels.
   | style="background-color:white;" |'''32.4''' The system should allow authorized personnel to configure the review and approval of multiple tests at the sample, batch, project, and experiment levels.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-1-4]
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-1-4]
   | style="background-color:white;" |'''31.5''' The system should allow warning and material specification limits to be entered and configured so as to allow their comparison against entered results and determinations for determining whether the results meet those specifications or limits.
   | style="background-color:white;" |'''32.5''' The system should allow warning and material specification limits to be entered and configured so as to allow their comparison against entered results and determinations for determining whether the results meet those specifications or limits.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.law.cornell.edu/cfr/text/21/211.100 21 CFR Part 211.100 (b)]<br />[https://www.law.cornell.edu/cfr/text/21/211.160 21 CFR Part 211.160 (a)]
   | style="padding:5px; width:500px;" |[https://www.law.cornell.edu/cfr/text/21/211.100 21 CFR Part 211.100 (b)]<br />[https://www.law.cornell.edu/cfr/text/21/211.160 21 CFR Part 211.160 (a)]
   | style="background-color:white;" |'''31.6''' The system should provide a configurable means of allowing the system to automatically save after each entry to help meet ALCOA, CGMP, and other requirements to contemporaneously record data into records.
   | style="background-color:white;" |'''32.6''' The system should provide a configurable means of allowing the system to automatically save after each entry to help meet ALCOA, CGMP, and other requirements to contemporaneously record data into records.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.law.cornell.edu/cfr/text/40/3.10 40 CFR Part 3.10]<br />[https://www.law.cornell.edu/cfr/text/40/3.2000 40 CFR Part 3.2000]<br />[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-1-5]
   | style="padding:5px; width:500px;" |[https://www.law.cornell.edu/cfr/text/40/3.10 40 CFR Part 3.10]<br />[https://www.law.cornell.edu/cfr/text/40/3.2000 40 CFR Part 3.2000]<br />[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-1-5]
   | style="background-color:white;" |'''31.7''' The system should provide a configurable (based on sample, test, or both) means of permitting electronic signatures for both entered results and approved reports.
   | style="background-color:white;" |'''32.7''' The system should provide a configurable (based on sample, test, or both) means of permitting electronic signatures for both entered results and approved reports.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-1-6]
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-1-6]
   | style="background-color:white;" |'''31.8''' The system should be capable of providing a complete list of all tests loaded in the system, the amount of material required for each test, and to which location the samples are to be sent for testing.
   | style="background-color:white;" |'''32.8''' The system should be capable of providing a complete list of all tests loaded in the system, the amount of material required for each test, and to which location the samples are to be sent for testing.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-1-7]
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-1-7]
   | style="background-color:white;" |'''31.9''' The system shall support configurable laboratory workflows based on appropriate laboratory process and procedure.
   | style="background-color:white;" |'''32.9''' The system shall support configurable laboratory workflows based on appropriate laboratory process and procedure.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-1-8]
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-1-8]
   | style="background-color:white;" |'''31.10''' The system shall allow authorized personnel to assign status values for purposes of tracking sample progress or other portions of laboratory workflow.
   | style="background-color:white;" |'''32.10''' The system shall allow authorized personnel to assign status values for purposes of tracking sample progress or other portions of laboratory workflow.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.law.cornell.edu/cfr/text/21/211.68 21 CFR Part 211.68]<br />[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-1-9]
   | style="padding:5px; width:500px;" |[https://www.law.cornell.edu/cfr/text/21/211.68 21 CFR Part 211.68]<br />[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-1-9]
   | style="background-color:white;" |'''31.11''' The system should allow authorized personnel to perform revision control of lookup or master data.
   | style="background-color:white;" |'''32.11''' The system should allow authorized personnel to perform revision control of lookup or master data.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-1-10]
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-1-10]
   | style="background-color:white;" |'''31.12''' The system should provide a means for importing lookup or master data.
   | style="background-color:white;" |'''32.12''' The system should provide a means for importing lookup or master data.
  |-  
  |-  
   | style="padding:5px; width:500px;" |
   | style="padding:5px; width:500px;" |
Line 59: Line 59:
[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.11.6]<br />
[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.11.6]<br />
[https://www.ams.usda.gov/datasets/pdp/pdp-standard-operating-procedures USDA Data and Instrumentation for PDP 9.1]
[https://www.ams.usda.gov/datasets/pdp/pdp-standard-operating-procedures USDA Data and Instrumentation for PDP 9.1]
   | style="background-color:white;" |'''31.13''' The system shall be able to define the number of significant figures (i.e., set rounding rules) for reported numeric data.
   | style="background-color:white;" |'''32.13''' The system shall be able to define the number of significant figures (i.e., set rounding rules) for reported numeric data.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-1-12]
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-1-12]
   | style="background-color:white;" |'''31.14''' The system should allow calculated limits to be created and managed based on test results and relevant metadata.
   | style="background-color:white;" |'''32.14''' The system should allow calculated limits to be created and managed based on test results and relevant metadata.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-1-13]<br />[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 3.2.6]<br />[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.9.11]
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-1-13]<br />[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 3.2.6]<br />[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.9.11]
   | style="background-color:white;" |'''31.15''' The system should provide a clear alert or notification upon entry of out-of-specification results.
   | style="background-color:white;" |'''32.15''' The system should provide a clear alert or notification upon entry of out-of-specification results.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-1-14]
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-1-14]
   | style="background-color:white;" |'''31.16''' The system shall allow authorized personnel to update static and dynamic data.
   | style="background-color:white;" |'''32.16''' The system shall allow authorized personnel to update static and dynamic data.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-1-15]
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-1-15]
   | style="background-color:white;" |'''31.17''' The system should allow workflow events and status changes to trigger one or more user-defined actions.
   | style="background-color:white;" |'''32.17''' The system should allow workflow events and status changes to trigger one or more user-defined actions.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-1-17]<br />[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.7.1]
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-1-17]<br />[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.7.1]
   | style="background-color:white;" |'''31.18''' The system should provide an interface for administrative access that permits approved users to configure the system without extra programming or manipulation of data storage systems.
   | style="background-color:white;" |'''32.18''' The system should provide an interface for administrative access that permits approved users to configure the system without extra programming or manipulation of data storage systems.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-1-18]
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-1-18]
   | style="background-color:white;" |'''31.19''' The system should allow administrators to programmatically customize system modules or build calculations within the application.
   | style="background-color:white;" |'''32.19''' The system should allow administrators to programmatically customize system modules or build calculations within the application.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-1-19]
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-1-19]
   | style="background-color:white;" |'''31.20''' The system should provide a multiuser interface that can be configured to local user needs, including display language, character sets, and time zones.
   | style="background-color:white;" |'''32.20''' The system should provide a multiuser interface that can be configured to local user needs, including display language, character sets, and time zones.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.law.cornell.edu/cfr/text/21/11.100 21 CFR Part 11.100 (a)]<br />[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-1-20]<br />[https://ec.europa.eu/health/sites/health/files/files/eudralex/vol-4/annex11_01-2011_en.pdf E.U. Annex 11-14]
   | style="padding:5px; width:500px;" |[https://www.law.cornell.edu/cfr/text/21/11.100 21 CFR Part 11.100 (a)]<br />[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-1-20]<br />[https://ec.europa.eu/health/sites/health/files/files/eudralex/vol-4/annex11_01-2011_en.pdf E.U. Annex 11-14]
   | style="background-color:white;" |'''31.21''' The system should support rules governing electronic records and electronic signatures in regulated environments.
   | style="background-color:white;" |'''32.21''' The system should support rules governing electronic records and electronic signatures in regulated environments.
  |-  
  |-  
   | style="padding:5px; width:500px;" |
   | style="padding:5px; width:500px;" |
[https://www.law.cornell.edu/cfr/text/7/331.11 7 CFR Part 331.11]<br />
[https://www.law.cornell.edu/cfr/text/7/332.11 7 CFR Part 332.11]<br />
[https://www.law.cornell.edu/cfr/text/9/121.11 9 CFR Part 121.11]<br />
[https://www.law.cornell.edu/cfr/text/9/121.11 9 CFR Part 121.11]<br />
[https://www.law.cornell.edu/cfr/text/21/11.10 21 CFR Part 11.10 (d)]<br />
[https://www.law.cornell.edu/cfr/text/21/11.10 21 CFR Part 11.10 (d)]<br />
Line 107: Line 107:
[https://www.ams.usda.gov/datasets/pdp/pdp-standard-operating-procedures USDA Administrative Procedures for the PDP 5.2.4]<br />
[https://www.ams.usda.gov/datasets/pdp/pdp-standard-operating-procedures USDA Administrative Procedures for the PDP 5.2.4]<br />
[https://extranet.who.int/prequal/content/who-technical-report-seriesWHO Technical Report Series, #986, Annex 2, 15.9]
[https://extranet.who.int/prequal/content/who-technical-report-seriesWHO Technical Report Series, #986, Annex 2, 15.9]
   | style="background-color:white;" |'''31.22''' The system shall provide a security interface usable across all modules of the system that secures data and operations and prevents unauthorized access to data and functions.
   | style="background-color:white;" |'''32.22''' The system shall provide a security interface usable across all modules of the system that secures data and operations and prevents unauthorized access to data and functions.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.5.2.2–3]<br /[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.1.14–15]
   | style="padding:5px; width:500px;" |[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.5.2.2–3]<br /[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.1.14–15]
   | style="background-color:white;" |'''31.23''' The system shall be able to granularly define access control down to the object level, role level, physical location, logical location, network address, and chronometric restriction level for the protection of regulated, patented, confidential, and classified data, methods, or other types of information.
   | style="background-color:white;" |'''32.23''' The system shall be able to granularly define access control down to the object level, role level, physical location, logical location, network address, and chronometric restriction level for the protection of regulated, patented, confidential, and classified data, methods, or other types of information.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-1-22]
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-1-22]
   | style="background-color:white;" |'''31.24''' The system should support single sign-on such that a user can log in once and access all permitted functions and data.
   | style="background-color:white;" |'''32.24''' The system should support single sign-on such that a user can log in once and access all permitted functions and data.
  |-  
  |-  
   | style="padding:5px; width:500px;" |
   | style="padding:5px; width:500px;" |
Line 129: Line 129:
[https://www.iso.org/standard/56115.html ISO 15189:2012 5.10.3]<br />
[https://www.iso.org/standard/56115.html ISO 15189:2012 5.10.3]<br />
[https://extranet.who.int/prequal/content/who-technical-report-series WHO Technical Report Series, #986, Annex 2, 15.9]
[https://extranet.who.int/prequal/content/who-technical-report-series WHO Technical Report Series, #986, Annex 2, 15.9]
   | style="background-color:white;" |'''31.25''' The system shall provide initial login access using at least two unique identification components, e.g., a user identifier and password, or biometric information linked to and used by the genuine user.
   | style="background-color:white;" |'''32.25''' The system shall provide initial login access using at least two unique identification components, e.g., a user identifier and password, or biometric information linked to and used by the genuine user.
  |-  
  |-  
   | style="padding:5px; width:500px;" |
   | style="padding:5px; width:500px;" |
Line 137: Line 137:
[https://nepis.epa.gov/Exe/ZyPDF.cgi?Dockey=30006MXP.PDF EPA 815-R-05-004 Chap. VI, Sec. 8.6]<br />
[https://nepis.epa.gov/Exe/ZyPDF.cgi?Dockey=30006MXP.PDF EPA 815-R-05-004 Chap. VI, Sec. 8.6]<br />
[https://www.iso.org/standard/56115.html ISO 15189:2012 5.10.3]
[https://www.iso.org/standard/56115.html ISO 15189:2012 5.10.3]
   | style="background-color:white;" |'''31.26''' The system shall prevent the same combination of identification components from being used across more than one account.
   | style="background-color:white;" |'''32.26''' The system shall prevent the same combination of identification components from being used across more than one account.
  |-  
  |-  
   | style="padding:5px; width:500px;" |
   | style="padding:5px; width:500px;" |
[https://www.law.cornell.edu/cfr/text/21/11.300 21 CFR Part 11.300 (b)]<br />[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 E17-5 and S-3-1]<br />[https://www.iso.org/standard/56115.html ISO 15189:2012 5.10.3]
[https://www.law.cornell.edu/cfr/text/21/11.300 21 CFR Part 11.300 (b)]<br />[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 E17-5 and S-3-1]<br />[https://www.iso.org/standard/56115.html ISO 15189:2012 5.10.3]
   | style="background-color:white;" |'''31.27''' The system shall allow the administrator to define a time period in days after which a user will be prompted to change their password.
   | style="background-color:white;" |'''32.27''' The system shall allow the administrator to define a time period in days after which a user will be prompted to change their password.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.6.3.1]
   | style="padding:5px; width:500px;" |[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.6.3.1]
   | style="background-color:white;" |'''31.28''' The system shall allow the administrator to define a time period of inactivity for a user identifier, after which it will be disabled and archived.
   | style="background-color:white;" |'''32.28''' The system shall allow the administrator to define a time period of inactivity for a user identifier, after which it will be disabled and archived.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.5.2.2]
   | style="padding:5px; width:500px;" |[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.5.2.2]
   | style="background-color:white;" |'''31.29''' The system shall allow the administrator or authorized personnel to configure the allowance or prevention of multiple concurrent active sessions for one unique user.
   | style="background-color:white;" |'''32.29''' The system shall allow the administrator or authorized personnel to configure the allowance or prevention of multiple concurrent active sessions for one unique user.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.5.4]
   | style="padding:5px; width:500px;" |[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.5.4]
   | style="background-color:white;" |'''31.30''' The system shall allow the administrator or authorized personnel to configure approved system use (e.g., "you are accessing a restricted information system," "system use indicates consent to being monitored, recorded, and audited") and other types of notifications to appear before or after a user logs in to the system. These notifications should remain on the screen until acknowledged by the user.
   | style="background-color:white;" |'''32.30''' The system shall allow the administrator or authorized personnel to configure approved system use (e.g., "you are accessing a restricted information system," "system use indicates consent to being monitored, recorded, and audited") and other types of notifications to appear before or after a user logs in to the system. These notifications should remain on the screen until acknowledged by the user.
  |-  
  |-  
   | style="padding:5px; width:500px;" |
   | style="padding:5px; width:500px;" |
Line 164: Line 164:
[https://www.iso.org/standard/56115.html ISO 15189:2012 5.10.3]<br />
[https://www.iso.org/standard/56115.html ISO 15189:2012 5.10.3]<br />
[https://extranet.who.int/prequal/content/who-technical-report-series WHO Technical Report Series, #986, Annex 2, 15.9]
[https://extranet.who.int/prequal/content/who-technical-report-series WHO Technical Report Series, #986, Annex 2, 15.9]
   | style="background-color:white;" |'''31.31''' The system shall keep an accurate audit trail of login activities, including failed login attempts and electronic signings.
   | style="background-color:white;" |'''32.31''' The system shall keep an accurate audit trail of login activities, including failed login attempts and electronic signings.
  |-
  |-
   | style="padding:5px; width:500px;" |
   | style="padding:5px; width:500px;" |
Line 171: Line 171:
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.5.3]<br />
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.5.3]<br />
[https://www.iso.org/standard/56115.html ISO 15189:2012 5.10.3]
[https://www.iso.org/standard/56115.html ISO 15189:2012 5.10.3]
   | style="background-color:white;" |'''31.32''' The system shall allow the administrator or authorized personnel to define the number of failed login attempts before the system locks the user out.
   | style="background-color:white;" |'''32.32''' The system shall allow the administrator or authorized personnel to define the number of failed login attempts before the system locks the user out.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.law.cornell.edu/cfr/text/21/11.200 21 CFR Part 11.200 (a)]<br />[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-3-1]
   | style="padding:5px; width:500px;" |[https://www.law.cornell.edu/cfr/text/21/11.200 21 CFR Part 11.200 (a)]<br />[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-3-1]
   | style="background-color:white;" |'''31.33''' The system shall require at least one unique identification component for additional electronic signings (beyond initial login) during a single, continuous session.
   | style="background-color:white;" |'''32.33''' The system shall require at least one unique identification component for additional electronic signings (beyond initial login) during a single, continuous session.
  |-  
  |-  
   | style="padding:5px; width:500px;" |
   | style="padding:5px; width:500px;" |
[https://www.law.cornell.edu/cfr/text/7/331.11 7 CFR Part 331.11]<br />
[https://www.law.cornell.edu/cfr/text/7/332.11 7 CFR Part 332.11]<br />
[https://www.law.cornell.edu/cfr/text/9/121.11 9 CFR Part 121.11]<br />
[https://www.law.cornell.edu/cfr/text/9/121.11 9 CFR Part 121.11]<br />
[https://www.law.cornell.edu/cfr/text/21/11.200 21 CFR Part 11.200 (a)]<br />
[https://www.law.cornell.edu/cfr/text/21/11.200 21 CFR Part 11.200 (a)]<br />
Line 187: Line 187:
[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-3-1]<br />
[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-3-1]<br />
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.6.3.2]
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.6.3.2]
   | style="background-color:white;" |'''31.34''' The vendor shall provide training materials emphasizing the importance of not sharing unique identification components with other individuals and promoting compliance review for ensuring such practices are followed.
   | style="background-color:white;" |'''32.34''' The vendor shall provide training materials emphasizing the importance of not sharing unique identification components with other individuals and promoting compliance review for ensuring such practices are followed.
  |-  
  |-  
   | style="padding:5px; width:500px;" |
   | style="padding:5px; width:500px;" |
[https://www.law.cornell.edu/cfr/text/7/331.11 7 CFR Part 331.11]<br />
[https://www.law.cornell.edu/cfr/text/7/332.11 7 CFR Part 332.11]<br />
[https://www.law.cornell.edu/cfr/text/9/121.11 9 CFR Part 121.11]<br />
[https://www.law.cornell.edu/cfr/text/9/121.11 9 CFR Part 121.11]<br />
[https://www.law.cornell.edu/cfr/text/21/11.10 21 CFR Part 11.10 (d)]<br />
[https://www.law.cornell.edu/cfr/text/21/11.10 21 CFR Part 11.10 (d)]<br />
Line 201: Line 201:
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.5.1]<br />
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.5.1]<br />
[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.1.14–15]
[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.1.14–15]
   | style="background-color:white;" |'''31.35''' The system shall support the ability to initially assign new individual users to system groups, roles, or both.
   | style="background-color:white;" |'''32.35''' The system shall support the ability to initially assign new individual users to system groups, roles, or both.
  |-  
  |-  
   | style="padding:5px; width:500px;" |
   | style="padding:5px; width:500px;" |
Line 208: Line 208:
[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-1-24]<br />
[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-1-24]<br />
[https://ec.europa.eu/health/sites/health/files/files/eudralex/vol-4/annex11_01-2011_en.pdf E.U. Annex 11-14]
[https://ec.europa.eu/health/sites/health/files/files/eudralex/vol-4/annex11_01-2011_en.pdf E.U. Annex 11-14]
   | style="background-color:white;" |'''31.36''' The system shall force a user's electronic signature to be unique and traceable to a specific user's account.
   | style="background-color:white;" |'''32.36''' The system shall force a user's electronic signature to be unique and traceable to a specific user's account.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.law.cornell.edu/cfr/text/21/11.100 21 CFR Part 11.100 (a)]<br />[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-1-24]<br />
   | style="padding:5px; width:500px;" |[https://www.law.cornell.edu/cfr/text/21/11.100 21 CFR Part 11.100 (a)]<br />[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-1-24]<br />
   | style="background-color:white;" |'''31.37''' The system shall prevent the reuse or reassignment of a user's electronic signature.
   | style="background-color:white;" |'''32.37''' The system shall prevent the reuse or reassignment of a user's electronic signature.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.law.cornell.edu/cfr/text/21/11.50 21 CFR Part 11.50]<br />[https://ec.europa.eu/health/sites/health/files/files/eudralex/vol-4/annex11_01-2011_en.pdf E.U. Annex 11-14]
   | style="padding:5px; width:500px;" |[https://www.law.cornell.edu/cfr/text/21/11.50 21 CFR Part 11.50]<br />[https://ec.europa.eu/health/sites/health/files/files/eudralex/vol-4/annex11_01-2011_en.pdf E.U. Annex 11-14]
   | style="background-color:white;" |'''31.38''' When the system generates a complete and accurate copy of an electronically signed record, it shall also display the printed name of the signer, the date and time of signature execution, and any applicable meaning associated with the signature. This shall be applicable for both electronically displayed and printed copies of the electronic record.
   | style="background-color:white;" |'''32.38''' When the system generates a complete and accurate copy of an electronically signed record, it shall also display the printed name of the signer, the date and time of signature execution, and any applicable meaning associated with the signature. This shall be applicable for both electronically displayed and printed copies of the electronic record.
  |-
  |-
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-1-26]
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-1-26]
   | style="background-color:white;" |'''31.39''' The system should provide a means to migrate static data into the system.
   | style="background-color:white;" |'''32.39''' The system should provide a means to migrate static data into the system.
  |-   
  |-   
|}
|}
|}
|}

Revision as of 18:18, 19 September 2019

Sandbox begins below

32. Configuration Management

Regulation, Specification, or Guidance Requirement
ASTM E1578-18 S-1-1 32.1 The system shall provide tools to enter and manage user-configurable lookup or master data.
ASTM E1578-18 S-1-2 32.2 The system shall allow authorized users to configure the specification limits for sample and instrument tests.
45 CFR Part 162.1002
USDA Sampling Procedures for PDP 6.3.2
32.3 The system shall allow system nomenclature to be configured to use specific data code sets—such as the International Classification of Diseases or the Healthcare Common Procedure Coding System—or mandated terminology to support regulatory requirements.
ASTM E1578-18 S-1-3 32.4 The system should allow authorized personnel to configure the review and approval of multiple tests at the sample, batch, project, and experiment levels.
ASTM E1578-18 S-1-4 32.5 The system should allow warning and material specification limits to be entered and configured so as to allow their comparison against entered results and determinations for determining whether the results meet those specifications or limits.
21 CFR Part 211.100 (b)
21 CFR Part 211.160 (a)
32.6 The system should provide a configurable means of allowing the system to automatically save after each entry to help meet ALCOA, CGMP, and other requirements to contemporaneously record data into records.
40 CFR Part 3.10
40 CFR Part 3.2000
ASTM E1578-18 S-1-5
32.7 The system should provide a configurable (based on sample, test, or both) means of permitting electronic signatures for both entered results and approved reports.
ASTM E1578-18 S-1-6 32.8 The system should be capable of providing a complete list of all tests loaded in the system, the amount of material required for each test, and to which location the samples are to be sent for testing.
ASTM E1578-18 S-1-7 32.9 The system shall support configurable laboratory workflows based on appropriate laboratory process and procedure.
ASTM E1578-18 S-1-8 32.10 The system shall allow authorized personnel to assign status values for purposes of tracking sample progress or other portions of laboratory workflow.
21 CFR Part 211.68
ASTM E1578-18 S-1-9
32.11 The system should allow authorized personnel to perform revision control of lookup or master data.
ASTM E1578-18 S-1-10 32.12 The system should provide a means for importing lookup or master data.

AIHA-LAP Policies 2018 2A.7.8.4
ASTM E1578-18 S-1-11
EPA ERLN Laboratory Requirements 4.11.6
USDA Data and Instrumentation for PDP 9.1

32.13 The system shall be able to define the number of significant figures (i.e., set rounding rules) for reported numeric data.
ASTM E1578-18 S-1-12 32.14 The system should allow calculated limits to be created and managed based on test results and relevant metadata.
ASTM E1578-18 S-1-13
EPA ERLN Laboratory Requirements 3.2.6
EPA ERLN Laboratory Requirements 4.9.11
32.15 The system should provide a clear alert or notification upon entry of out-of-specification results.
ASTM E1578-18 S-1-14 32.16 The system shall allow authorized personnel to update static and dynamic data.
ASTM E1578-18 S-1-15 32.17 The system should allow workflow events and status changes to trigger one or more user-defined actions.
ASTM E1578-18 S-1-17
CJIS Security Policy 5.7.1
32.18 The system should provide an interface for administrative access that permits approved users to configure the system without extra programming or manipulation of data storage systems.
ASTM E1578-18 S-1-18 32.19 The system should allow administrators to programmatically customize system modules or build calculations within the application.
ASTM E1578-18 S-1-19 32.20 The system should provide a multiuser interface that can be configured to local user needs, including display language, character sets, and time zones.
21 CFR Part 11.100 (a)
ASTM E1578-18 S-1-20
E.U. Annex 11-14
32.21 The system should support rules governing electronic records and electronic signatures in regulated environments.

7 CFR Part 332.11
9 CFR Part 121.11
21 CFR Part 11.10 (d)
21 CFR Part 211.68
42 CFR Part 73.11
45 CFR Part 164.308
AAVLD Requirements for an AVMDL Sec. 4.10.1.3–4
AAVLD Requirements for an AVMDL Sec. 5.4.4.1
ASCLD/LAB Supp. Reqs. for the Accreditation of Forensic Science Testing Laboratories 5.4.7.2.1
ASTM E1492-11 4.2.4
ASTM E1578-18 S-1-16
ASTM E1578-18 S-1-21
CJIS Security Policy 5.5.2
E.U. Annex 11-12
EPA 815-R-05-004 Chap. IV, Sec. 8.6
EPA 815-R-05-004 Chap. VI, Sec. 8.6
EPA ERLN Laboratory Requirements 4.1.14–15
EPA ERLN Laboratory Requirements 4.9.4 and 4.9.14
ISO/IEC 17025:2017 7.11.3
USDA Administrative Procedures for the PDP 5.2.4
Technical Report Series, #986, Annex 2, 15.9

32.22 The system shall provide a security interface usable across all modules of the system that secures data and operations and prevents unauthorized access to data and functions.
CJIS Security Policy 5.5.2.2–3<br /EPA ERLN Laboratory Requirements 4.1.14–15 32.23 The system shall be able to granularly define access control down to the object level, role level, physical location, logical location, network address, and chronometric restriction level for the protection of regulated, patented, confidential, and classified data, methods, or other types of information.
ASTM E1578-18 S-1-22 32.24 The system should support single sign-on such that a user can log in once and access all permitted functions and data.

21 CFR Part 11.200 (a)
45 CFR Part 164.312
45 CFR Part 170.315 (d)
ASCLD/LAB Supp. Reqs. for the Accreditation of Forensic Science Testing Laboratories 5.4.7.2.1
ASTM E1578-18 E17-5 and S-3-1
CJIS Security Policy 5.6.1
E.U. Annex 11-14
EPA 815-R-05-004 Chap. IV, Sec. 8.6
EPA 815-R-05-004 Chap. VI, Sec. 7.6
EPA 815-R-05-004 Chap. VI, Sec. 8.6
EPA ERLN Laboratory Requirements 4.9.4
ISO 15189:2012 5.10.3
WHO Technical Report Series, #986, Annex 2, 15.9

32.25 The system shall provide initial login access using at least two unique identification components, e.g., a user identifier and password, or biometric information linked to and used by the genuine user.

21 CFR Part 11.300 (a)
ASTM E1578-18 E17-5 and S-3-1
EPA 815-R-05-004 Chap. IV, Sec. 8.6
EPA 815-R-05-004 Chap. VI, Sec. 8.6
ISO 15189:2012 5.10.3

32.26 The system shall prevent the same combination of identification components from being used across more than one account.

21 CFR Part 11.300 (b)
ASTM E1578-18 E17-5 and S-3-1
ISO 15189:2012 5.10.3

32.27 The system shall allow the administrator to define a time period in days after which a user will be prompted to change their password.
CJIS Security Policy 5.6.3.1 32.28 The system shall allow the administrator to define a time period of inactivity for a user identifier, after which it will be disabled and archived.
CJIS Security Policy 5.5.2.2 32.29 The system shall allow the administrator or authorized personnel to configure the allowance or prevention of multiple concurrent active sessions for one unique user.
CJIS Security Policy 5.5.4 32.30 The system shall allow the administrator or authorized personnel to configure approved system use (e.g., "you are accessing a restricted information system," "system use indicates consent to being monitored, recorded, and audited") and other types of notifications to appear before or after a user logs in to the system. These notifications should remain on the screen until acknowledged by the user.

21 CFR Part 11.300 (d)
21 CFR Part 211.68
21 CFR Part 211.100
21 CFR Part 211.160 (a)
21 CFR Part 211.188
21 CFR Part 211.194
ASTM E1578-18 E17-5 and S-3-1
CJIS Security Policy 5.4.1.1
E.U. Commission Directive 2003/94/EC Article 9.2
ISO 15189:2012 5.10.3
WHO Technical Report Series, #986, Annex 2, 15.9

32.31 The system shall keep an accurate audit trail of login activities, including failed login attempts and electronic signings.

21 CFR Part 11.300 (d)
ASTM E1578-18 E17-5 and S-3-1
CJIS Security Policy 5.5.3
ISO 15189:2012 5.10.3

32.32 The system shall allow the administrator or authorized personnel to define the number of failed login attempts before the system locks the user out.
21 CFR Part 11.200 (a)
ASTM E1578-18 S-3-1
32.33 The system shall require at least one unique identification component for additional electronic signings (beyond initial login) during a single, continuous session.

7 CFR Part 332.11
9 CFR Part 121.11
21 CFR Part 11.200 (a)
21 CFR Part 211.68 (b)
21 CFR Part 211.188 (b-11)
21 CFR Part 211.194 (a-7 and a-8)
21 CFR Part 212.50 (c-10)
42 CFR Part 73.11
ASTM E1578-18 S-3-1
CJIS Security Policy 5.6.3.2

32.34 The vendor shall provide training materials emphasizing the importance of not sharing unique identification components with other individuals and promoting compliance review for ensuring such practices are followed.

7 CFR Part 332.11
9 CFR Part 121.11
21 CFR Part 11.10 (d)
42 CFR Part 73.11
42 CFR Part 493.1231
45 CFR Part 164.308
45 CFR Part 164.514
45 CFR Part 170.315 (d)
ASTM E1578-18 S-1-25
CJIS Security Policy 5.5.1
EPA ERLN Laboratory Requirements 4.1.14–15

32.35 The system shall support the ability to initially assign new individual users to system groups, roles, or both.

21 CFR Part 11.100 (a)
45 CFR Part 164.312
ASTM E1578-18 S-1-24
E.U. Annex 11-14

32.36 The system shall force a user's electronic signature to be unique and traceable to a specific user's account.
21 CFR Part 11.100 (a)
ASTM E1578-18 S-1-24
32.37 The system shall prevent the reuse or reassignment of a user's electronic signature.
21 CFR Part 11.50
E.U. Annex 11-14
32.38 When the system generates a complete and accurate copy of an electronically signed record, it shall also display the printed name of the signer, the date and time of signature execution, and any applicable meaning associated with the signature. This shall be applicable for both electronically displayed and printed copies of the electronic record.
ASTM E1578-18 S-1-26 32.39 The system should provide a means to migrate static data into the system.